EP1354443B1 - Method for broadcast encryption - Google Patents

Method for broadcast encryption Download PDF

Info

Publication number
EP1354443B1
EP1354443B1 EP02710108A EP02710108A EP1354443B1 EP 1354443 B1 EP1354443 B1 EP 1354443B1 EP 02710108 A EP02710108 A EP 02710108A EP 02710108 A EP02710108 A EP 02710108A EP 1354443 B1 EP1354443 B1 EP 1354443B1
Authority
EP
European Patent Office
Prior art keywords
subset
node
tree
keys
users
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
EP02710108A
Other languages
German (de)
French (fr)
Other versions
EP1354443B2 (en
EP1354443A2 (en
Inventor
Jeffrey Bruce Lotspiech
Dalit Naor
Simeon Naor
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=25089976&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=EP1354443(B1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of EP1354443A2 publication Critical patent/EP1354443A2/en
Application granted granted Critical
Publication of EP1354443B1 publication Critical patent/EP1354443B1/en
Publication of EP1354443B2 publication Critical patent/EP1354443B2/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/605Copy protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/606Traitor tracing

Definitions

  • the present invention relates generally to broadcast data encryption that uses encryption keys.
  • U.S. Patent No. 6,118,873 discloses a system for encrypting broadcast music, videos, and other content. As set forth therein, only authorized player-recorders can play and/or copy the content and only in accordance with rules established by the vendor of the content. In this way, pirated copies of content, which currently cost content providers billions of dollars each year, can be prevented.
  • authorized player-recorders are issued software-implemented device keys from a matrix of device keys.
  • the keys can be issued simultaneously with each other or over time, but in any event, no player-recorder is supposed to have more than one device key per column of the matrix. Although two devices might share the same key from the same column, the chances that any two devices share exactly the same set keys from all the columns of the matrix are very small when keys are randomly assigned.
  • the keys are used to decrypt content.
  • revoking a set of device keys might result in revoking some keys held by innocent devices. It is desirable to further reduce the chances of accidentally revoking a "good" device, preferably to zero.
  • the present invention is directed to the difficult scenario of "stateless" receivers, i.e., receivers that do not necessarily update their encryption state between broadcasts to accept countermeasures against compromised devices.
  • "stateless” receivers i.e., receivers that do not necessarily update their encryption state between broadcasts to accept countermeasures against compromised devices.
  • a television that subscribes to a pay channel might have its set-top box deenergized for a period of time during which updated encryption data might be broadcast over the system.
  • Such a device would be rendered “stateless” if it happens to be unable to update itself after being reenergized, and would thus not possess updates that would be necessary for future content decryption.
  • the present invention accordingly provides a method for broadcast encryption, comprising: assigning each user in a group of users respective private information I u ; selecting at least one session encryption key K; partitioning users not in a revoked set R into disjoint subsets S i1 ,...S im having associated subset keys L i1 ,...L im ; and encrypting the session key K with the subset keys L i1 ,...,L im to render m encrypted versions of the session key K.
  • the method preferably further comprises partitioning the users into groups S 1 , ...,S w , wherein "w" is an integer, and the groups establish subtrees in a tree.
  • the tree is a complete binary tree.
  • the method preferably further comprises using private information I u to decrypt the session key.
  • the act of decrypting includes using information i j such that a user belongs to a subset S ij , and retrieving a subset key L ij using the private information of the user.
  • each subset S i1 ,...S im includes all leaves in a subtree rooted at some node v i , at least each node in the subtree being associated with a respective subset key.
  • content is provided to users in at least one message defining a header
  • the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of users in the revoked set R and N is the total number of users.
  • each user must store log N keys, wherein N is the total number of users.
  • content is provided to users in at least one message, and wherein each user processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of users.
  • the revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node v i that are not in the subtree rooted at some other node v j that descends from v i .
  • content is provided to users in at least one message defining a header
  • the header includes at most 2r-1 subset keys and encryptions, wherein r is the number of users in the revoked set R.
  • each user must store .5log 2 N + .5log N +1 keys, wherein N is the total number of users.
  • content is provided to users in at least one message, and wherein each user processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of users.
  • the revoked set R defines a spanning tree
  • the method includes: initializing a cover tree T as the spanning tree; iteratively removing nodes from the cover tree T and adding nodes to a cover until the cover tree T has at most one node.
  • each node has at least one label possibly induced by at least one of its ancestors, and wherein each user is assigned labels from all nodes hanging from a direct path between the user and the root but not from nodes in the direct path.
  • labels are assigned to subsets using a pseudorandom sequence generator, and the act of decrypting includes evaluating the pseudorandom sequence generator.
  • content is provided to users in at least one message having a header including a cryptographic function E L , and the method includes prefix-truncating the cryptographic function E L .
  • the tree includes a root and plural nodes, each node having an associated key, and wherein each user is assigned keys from all nodes in a direct path between a leaf representing the user and the root.
  • content is provided to users in at least one message defining plural portions, and each portion is encrypted with a respective session key.
  • the present invention suitably provides a computer program device, comprising: a computer program storage device including a program of instructions usable by a computer, comprising: logic means for accessing a tree to identify plural subset keys; logic means for encrypting a message with a session key; logic means for encrypting the session key at least once with each of the subset keys to render encrypted versions of the session key; and logic means for sending the encrypted versions of the session key in a header of the message to plural stateless receivers.
  • a computer program storage device including a program of instructions usable by a computer, comprising: logic means for accessing a tree to identify plural subset keys; logic means for encrypting a message with a session key; logic means for encrypting the session key at least once with each of the subset keys to render encrypted versions of the session key; and logic means for sending the encrypted versions of the session key in a header of the message to plural stateless receivers.
  • the computer program device preferably further comprises logic means for partitioning receivers not in a revoked set R into disjoint subsets S i1 , ...S im having associated subset keys L i1 , ... , L im .
  • the computer program device preferably further comprises logic means for partitioning the users into groups S 1 , ...,S w , wherein "w" is an integer, and the groups establish subtrees in a tree.
  • the computer program device preferably further comprises logic means for using private information I u to decrypt the session key.
  • the means for decrypting includes logic means for using information i j such that a receiver belongs to a subset S ij , and retrieving a key L ij from the private information of the receiver.
  • each subset S i1 ,....S im includes all leaves in a subtree rooted at some node v i , at least each node in the subtree being associated with a respective subset key.
  • logic means provide content to receivers in at least one message defining a header, and the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of receivers in the revoked set R and N is the total number of receivers.
  • each receiver must store log N keys, wherein N is the total number of receivers.
  • logic means provide content to receivers in at least one message, and wherein each receiver processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • the revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node v i that are not in the subtree rooted at some other node v j that descends from v i .
  • means provide content to receivers in at least one message defining a header, and the header includes at most 2r-1 subset keys and encryptions, wherein r is the number of receivers in the revoked set R.
  • each receiver must store .5log 2 N + .5log N +1 keys, wherein N is the total number of receivers.
  • logic means provide content to receivers in at least one message, and wherein each receiver processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • the revoked set R defines a spanning tree
  • the computer program device includes: logic means for initializing a cover tree T as the spanning tree; and logic means for iteratively removing nodes from the cover tree T and adding nodes to a cover until the cover tree T has at most one node.
  • logic means assign labels to receivers using a pseudorandom sequence generator, and the labels induce subset keys.
  • the means for decrypting includes evaluating the pseudorandom sequence generator.
  • logic means provide content to receivers in at least one message having a header including a cryptographic function E L
  • the computer program device includes logic means for prefix-truncating the cryptographic function E L .
  • the tree includes a root and plural nodes, each node having an associated key, and wherein logic means assign each receiver keys from all nodes in a direct path between a leaf representing the receiver and the root.
  • logic means provide content to receivers in at least one message defining plural portions, and each portion is encrypted with a respective session key.
  • the present invention suitably provides a computer programmed with instructions to cause the computer to execute method acts including: encrypting broadcast content; and sending the broadcast content to plural stateless good receivers and to at least one revoked receiver such that each stateless good receiver can decrypt the content and the revoked receiver cannot decrypt the content.
  • the method acts further comprise: assigning each receiver in a group of receivers respective private information I u ; selecting at least one session encryption key K; partitioning all receivers not in a revoked set R into disjoint subsets S i1 ,...S im having associated subset keys L i1 , ...,L im ; and encrypting the session key K with the subset keys L i1 ,...,L im to render m encrypted versions of the session key K.
  • the method acts undertaken by the computer further comprise partitioning the users into groups S 1 ,...,S w , wherein "w" is an integer, and the groups establish subtrees in a tree.
  • the tree is a complete binary tree.
  • the method acts include using private information I u to decrypt the session key.
  • the act of decrypting undertaken by the computer includes using information i j such that a receiver belongs to a subset S ij , and retrieving a key L ij using the private information of the receiver.
  • each subset S i1 ,...S im includes all leaves in a subtree rooted at some node v i , at least each node in the subtree being associated with a respective subset key.
  • content is provided to receivers in at least one message defining a header
  • the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of receivers in the revoked set R and N is the total number of receivers.
  • each receiver must store log N keys, wherein N is the total number of receivers.
  • content is provided to receivers in at least one message, and wherein each receiver processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • the revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node v i that are not in the subtree rooted at some other node v j that descends from v i .
  • content is provided to receivers in at least one message defining a header, and the header includes at most 2r-1 subset keys and encryptions, wherein r is the number of receivers in the revoked set R.
  • each receiver must store .5log 2 N + .5log N +1 keys, wherein N is the total number of receivers.
  • content is provided to receivers in at least one message, and wherein each receiver processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • the revoked set R defines a spanning tree
  • the method acts undertaken by the computer further include: initializing a cover tree T as the spanning tree; iteratively removing nodes from the cover tree T and adding nodes to a cover until the cover tree T has at most one node.
  • the computer assigns node labels to receivers from the tree using a pseudorandom sequence generator.
  • the act of decrypting undertaken by the computer includes evaluating the pseudorandom sequence generator.
  • content is provided to receivers in at least one message having a header including a cryptographic function E L , and the method acts undertaken by the computer include prefix-truncating the cryptographic function E L .
  • content is provided to receivers in at least one message defining plural portions, and each portion is encrypted by the computer with a respective session key.
  • each node has plural labels with each ancestor of the node inducing a respective label, and wherein each user is assigned labels from all nodes hanging from a direct path between the user and the root but not from nodes in the direct path.
  • the present invention suitably comprises a method for broadcast encryption, comprising: assigning each user in a group of users respective private information I u ; selecting at least one session encryption key K; partitioning all users into groups S 1 ,...,S w , wherein "w" is an integer, and the groups establish subtrees in a tree; partitioning users not in a revoked set R into disjoint subsets S i1 ,...S im having associated subset keys L i1 , ...L im ; and encrypting the session key K with the subset keys L i1 , ..., L im to render m encrypted versions of the session key K, wherein the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node v i that are not in the subtree rooted at some other node v j that descends from v i .
  • the present invention suitably comprises a potentially stateless receiver in a multicast system, comprising: at least one data storage device storing plural labels of nodes that are not in a direct path between the receiver and a root of a tree having a leaf representing the receiver, but that hang off the direct path and that are induced by some node v i , an ancestor of the leaf representing the receiver, the labels establishing private information I u of the receiver usable by the receiver to decrypt subset keys derived from the labels.
  • the receiver computes the subset keys of all sets except a direct path set that are rooted at the node v i by evaluating a pseudorandom function, but can compute no other subset keys.
  • the receiver decrypts a session key using at least one subset key, the session key being useful for decrypting content.
  • the present invention suitably comprises a receiver of content, comprising: means for storing respective private information I u ; means for receiving at least one session encryption key K encrypted with plural subset keys, the session key encrypting content; and means for obtaining at least one subset key using the private information such that the session key K can be decrypted to play the content.
  • the receiver is partitioned into one of a set of groups S 1 ,...,S w , wherein "w" is an integer, and the groups establish subtrees in a tree defining nodes and leaves.
  • subsets S i1 ,...,S im derived from the set of groups S 1 ,...,S w define a cover.
  • the receiver receives content in at least one message defining a header
  • the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of receivers in a revoked set R and N is the total number of receivers.
  • the receiver must store log N keys, wherein N is the total number of receivers.
  • the receiver receives content in at least one message defining a header, and wherein the receiver processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • a revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node v i that are not in the subtree rooted at some other node v j that descends from v i .
  • the receiver receives content in a message having a header including at most 2r-1 subset keys and encryptions, wherein r is the number of receivers in the revoked set R.
  • the receiver must store .5log 2 N + .5log N +1 keys, wherein N is the total number of receivers.
  • content is provided to the receiver in at least one message, and wherein the receiver processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • the receiver decrypts the subset key by evaluating a pseudorandom sequence generator.
  • the present invention comprises a receiver of content, comprising: a data storage storing respective private information I u ; a processing device receiving at least one session encryption key K encrypted with plural subset keys, the session key encrypting content, the processing device obtaining at least one subset key using the private information such that the session key K can be decrypted to play the content.
  • the receiver is partitioned into one of a set of groups S 1 ,...,S w , wherein "w" is an integer, and the groups establish subtrees in a tree.
  • subsets S i1 ,...,S im derived from the set of groups S 1 ,...,S w define a cover.
  • the receiver receives content in at least one message defining a header
  • the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of receivers in a revoked set R and N is the total number of receivers.
  • the receiver must store log N keys, wherein N is the total number of receivers.
  • the receiver receives content in at least one message defining a header, and wherein the receiver processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • one revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node v i that are not in the subtree rooted at some other node v j that descends from v i .
  • the receiver receives content in a message having a header including at most 2r-1 subset keys and encryptions, wherein r is the number of receivers in the revoked set R.
  • the receiver must store .5log 2 N + .5log N +1 keys, wherein N is the total number of receivers.
  • content is provided to the receiver in at least one message, and wherein the receiver processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • the receiver decrypts the subset key by evaluating a pseudorandom sequence generator.
  • the present invention suitably comprises a medium holding a message of content of the general form ⁇ [i 1 , i 2 , ... , i m , E Li1 (K) , E Li2 (K) ,..., E Lim (K)] , F K (M) >, wherein K is a session key, F K is an encryption primitive, E K is an encryption primitive, L i are subset keys associated with subsets of receivers in an encryption broadcast system, M is a message body, and i 1 , i 2 ,...,i m are tree node subsets defining a cover.
  • the encryption primitive F K is implemented by XORing the message body M with a stream cipher generated by the session key K.
  • E L is a Prefix-Truncation specification of a block cipher
  • 1 represents a random string whose length equals the block length of E L
  • K is a short key for F K
  • the message is of the form ⁇ i 1 , i 2 , ... , i m , U
  • 1/i j is encrypted and the message is of the form ⁇ i 1 , i 2 , ... , i m , U , Prefix - L - ⁇ E Li ⁇ 1 U / i l / K , ... , Prefix - L - ⁇ E Lim U / i m / K , F K M > .
  • the subset keys are derived from a tree including a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node v i that are not in the subtree rooted at some other node v j that descends from v i .
  • the subset keys are derived from a tree including a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node v i , at least each node in the subtree being associated with a respective subset key.
  • the act of partitioning is undertaken by a system computer in a system of receivers separate from the system computer.
  • the act of partitioning is undertaken by a receiver computer.
  • the receiver derives the subsets in the cover.
  • the invention suitably includes a computer system for undertaking the inventive logic set forth herein.
  • the invention can also be embodied in a computer program product that stores the present logic and that can be accessed by a processor to execute the logic.
  • the invention may suitably include a computer-implemented method that follows the logic disclosed below.
  • the invention suitably includes a method for grouping users into (possibly overlapping) subsets of users, each subset having a unique, preferably long-lived subset key, and assigning each user respective private information I u .
  • the method also suitably includes selecting at least one preferably short-lived session encryption key K, and partitioning users not in a revoked set R into disjoint subsets S i1 ,...S im having associated subset keys L i1 ,...,L im .
  • the session key K is suitably encrypted with the subset keys L i1 , ...,L im to render m encrypted versions of the session key K.
  • the users can establish leaves in a tree such as a complete binary tree, and the subsets S i1 ,...S im are induced by the tree.
  • the users are initially partitioned into groups S 1 ,...,S w , wherein "w" is an integer.
  • a given transmission suitably selects m such groups as a “cover” for non-revoked users, with the cover being defined by the set of revoked users.
  • the "cover” groups suitably establish subtrees (either complete subtrees or a difference between two subtrees) in a tree.
  • a user's private information I u is preferably found as information i j in a transmitted message that indicates that a user belongs to a subset S ij of one of the groups S 1 ,...,S w .
  • a subset key L ij can then be obtained from or derived using the private information of the user.
  • each subset S i includes all leaves in a subtree rooted at some node v i , with at least each node in the subtree being associated with a respective subset key.
  • content is provided to users in a message defining a header, and the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of users in the revoked set R and N is the total number of users.
  • each user must store log N keys, and each user processes the message using at most log log N operations plus a single decryption operation.
  • respective groups of users correspond to a universe of sets S 1 ,...,S w that can be described as "a first subtree A minus a second subtree B that is entirely contained in A”.
  • Each node in this tree has a set of labels, one unique to the node and others that are induced by ancestor nodes.
  • Each user is assigned labels from all nodes hanging from nodes in a direct path between the receiver and the root (at most logN labels from each such node), but not from nodes in the direct path itself.
  • each subset includes all leaves in a subtree rooted at some node v i that are not in the subtree rooted at some other node v j that descends from v i .
  • One of the labels of the subset difference nodes for a particular user are provided to the user in a transmission as that user's private information. Using the labels, the user can generate the subset keys necessary for decryption.
  • the message header includes at most 2r-1 (1.25r on average) subset keys and encryptions, each user must store .5log 2 N + .5log N +1 keys, and each user processes the message using at most log N operations (preferably applications of a pseudorandom generator) plus a single decryption operation.
  • the revoked set R defines a spanning tree.
  • a cover tree T is initialized as the spanning tree, and then the method iteratively removes nodes from the cover tree T and adds subtrees to the cover tree T until the cover tree T has at most one node.
  • the cover tree T is used to identify subset keys to be used in a particular transmission, with users evaluating the pseudorandom sequence generator to derive subset keys from the labels.
  • revocations are processed in order from left to right such that only two revocations at a time must be kept in memory.
  • the message header includes a cryptographic function E L
  • the method includes prefix-truncating the cryptographic prefix function E L . If desired, portions of the message can be encrypted with respective session keys.
  • a computer program device suitably includes a computer program storage device that in turn includes a program of instructions that can be used by a computer.
  • the program includes logic means for accessing a tree to obtain plural subset keys, and logic means for encrypting a message with a session key.
  • Logic means are also provided for encrypting the session key at least once with each of the subset keys to render encrypted versions of the session key. Then, logic means send the encrypted versions of the session key in a header of the message to plural stateless receivers.
  • a computer is suitably programmed with instructions to cause the computer to encrypt broadcast content, and send the broadcast content to plural stateless good receivers and to at least one revoked receiver such that each stateless good receiver can decrypt the content and the revoked receiver cannot decrypt the content.
  • a potentially stateless receiver u in a broadcast encryption system suitably includes a data storage storing respective private information I u , and a processing device that receives a session encryption key K which is encrypted with plural subset keys.
  • the session key encrypts content, with the processing device obtaining at least one subset key using the private information such that the session key K can be decrypted to play the content.
  • the receiver is partitioned into one of a set of groups S 1 ,...,S w , wherein "w" is an integer, and the groups establish subtrees in a tree.
  • Subsets S i1 ,...,S im derived from the set of groups S 1 ,...,S w define a cover that is calculated by the receiver or by a system computer.
  • the tree includes a root and plural nodes, with each node having at least one associated label.
  • Each subset includes all leaves in a subtree rooted at some node v i that are not in the subtree rooted at some other node v j that descends from v i .
  • a medium suitably holds a message of content of the general form ⁇ [i 1 , i 2 ,...,i m , E Li1 (K), E Li2 (K) ,...,E Lim (K)], F K (M) >, wherein K is a session key, F K is an encryption primitive, E K is an encryption primitive, L i are subset keys associated with subsets of receivers in an encryption broadcast system, M is a message body, and i 1 , i 2 ,...,i m are tree node subsets defining a cover.
  • a system for generating sets of keys in a broadcast content guard system, such as but not limited to the system disclosed in the above-referenced patent.
  • broadcast is meant the wide dissemination of a program from a content provider to many users simultaneously over cable (from a satellite source), or wire, or radiofrequency (including from a satellite source), or from widely marketed content disks.
  • the system 10 includes a key set definition computer 12 that accesses a key set definition module 14 that functions in accordance with disclosure below.
  • the key sets defined by the computer 12 are used by potentially stateless player-recorder devices 16, also referred to herein as “receivers” and “users”, that have processors inside them to decrypt content.
  • the content along with certain keys disclosed below are provided to the respective devices via, e.g., device manufacturers 16 on media 17.
  • a player-recorder device can access its key set to decrypt the content on media or broadcast to it via wireless communication.
  • media can include but is not limited to DVDs, CDs, hard disk drives, and flash memory devices.
  • each receiver 16 could execute the module 14 to undertake the step of calculating the below-disclosed "cover” by being given the set of revoked receivers and undertaking the logic set forth below.
  • the processor associated with the module 14 accesses the modules to undertake the logic shown and discussed below, which may be executed by a processor as a series of computer-executable instructions.
  • Two methods - the complete subtree method, and the subset difference method - are disclosed herein for using the system 10 to selectively revoke the ability of compromised receivers 16 to decrypt broadcast content without revoking the ability of any non- compromised receiver 16 to decrypt broadcast content.
  • the instructions may be contained on a data storage device with a computer readable medium, such as a computer diskette having a computer usable medium with computer readable code elements stored thereon.
  • the instructions may be stored on a DASD array, magnetic tape, conventional hard disk drive, electronic read-only memory, optical storage device, or other appropriate data storage device.
  • the computer-executable instructions may be lines of compiled C ++ compatible code.
  • the flow charts herein illustrate the structure of the logic of a preferred embodiment of the present invention as embodied in computer program software.
  • the flow charts illustrate the structures of computer program code elements including logic circuits on an integrated circuit, that function according to this invention.
  • the invention is practiced in its essential embodiment by a machine component that renders the program code elements in a form that instructs a digital processing apparatus (that is, a computer) to perform a sequence of function acts corresponding to those shown.
  • the system is initiated by assigning long-lived subset keys L 1 ,...,L w to corresponding subsets in a universe of subsets S 1 ,...,S w into which receivers are grouped in accordance with the disclosure below, with each subset S j thus having a long-lived subset key L j associated with it.
  • the subsets covering receivers not in a revoked set are simply the subtrees that are generated per the disclosure below.
  • the subset difference the subsets covering receivers not in a revoked set are defined by the difference between a first subtree and a smaller subtree that is entirely within the first subtree as set forth further below.
  • the system is further initiated by supplying each receiver u with private information I u that is useful for decrypting content. Details of the private information I u are set forth further below. If I u is the secret information provided to receiver u, then each receiver u in S j can deduce L j from its I u . As set forth more fully below, given the revoked set R, the non-revoked receivers are partitioned into m disjoint subsets S i1 ,...,S im and a short-lived session key K is encrypted m times with the long-lived subset keys L i1 ,...,L im associated with respective subsets S i1 ,...,S im .
  • the subset keys are explicit subset keys in the complete subtree method and are induced by subset labels in the subset difference method.
  • At block 22 at least one session key K is selected with which to encrypt content that is broadcast in a message M, either via wireless or wired communication paths or via storage media such as CDs and DVDs.
  • the session key K is a random string of bits that is selected anew for each message. If desired, plural session keys can be used to encrypt respective portions of the message M.
  • non-revoked receivers are partitioned into disjoint subsets S i1 ,...S im at block 24 using a tree.
  • the subsets are sometimes referred to herein as "subtrees", with the first method explicitly considering subtrees and the second method regarding subtrees as being of the form "a first subtree minus a second subtree entirely contained in the first".
  • Each subset S i1 ,..., S im is associated with a respective subset key L i1 ,...,L im . While any data tree-like structure is contemplated herein, for disclosure purposes it is assumed that the tree is a full binary tree.
  • the session key K is encrypted m times, once with each subset key L i1 ,...,L im .
  • the resulting ciphertext that is broadcast can be represented as follows, with portions between the brackets representing the header of the message M and with i 1 , i 2 ,...,i m representing indices of the disjoint subsets: ⁇ i 1 , i 2 , ... , i m , E Li ⁇ 1 K , E Li ⁇ 2 K , ... , E Lim K , F k M >
  • the encryption primitive F k is implemented by XORing the message M with a stream cipher generated by the session key K.
  • the encryption primitive E L is a method for delivering the session key K to the receivers 16, using the long-lived subset keys. It is to be understood that all encryption algorithms for F K , E L are within the scope of a preferred embodiment of the present invention.
  • One preferred implementation of E L can be a Prefix-Truncation specification of a block cipher. Assume 1 represents a random string whose length equals the block length of E L , and assume that K is a short key for the cipher F K whose length is, e.g., 56 bits.
  • Prefix -K- E L (1)/K provides a strong encryption. Accordingly, the Prefix-Truncated header becomes: ⁇ i 1 , i 2 , ... , i m , U , Prefix - K - ⁇ E Li ⁇ 1 U / K , ... , Prefix - K - ⁇ E Lim U / K , F K M >
  • each non-revoked receiver u finds a subset identifier i j in the ciphertext such that it belongs to the subset S ij . As disclosed further below, if the receiver is in the revoked set R, the result of block 28 will be null.
  • the receiver extracts the subset key L ij corresponding to the subset S ij using its private information I u .
  • the session key K is determined at block 32, and then the message decrypted at block 34 using the session key K.
  • each the collection of subsets is specified, as is the way keys are assigned to the subsets and a method to cover non-revoked receivers using disjoint subsets from the collection.
  • the set of receivers in the system establishes the leaves of a tree, such as but not limited to a full binary tree.
  • the first method to be discussed is the complete subtree method shown in Figures 4-7 .
  • an independent and random subset key L i is assigned to each node v i in the tree.
  • This subset key L i corresponds to a subset containing all leaves rooted at node v i .
  • each receiver u is provided with all subset keys in the direct path from the receiver to the root.
  • the receivers u in the subset S i are provided with the subset key L i associated with the node v i , as well as with the keys associated with the node P, which lies between the receivers in S i and the root of the tree.
  • the logic of Figure 5 is invoked to partition non-revoked receivers into disjoint subsets.
  • a spanning tree is discovered that is defined by the leaves in R, the set of revoked receivers.
  • the spanning tree is the minimal subtree of the full binary tree that connects the "revoked" leaves, and it can be a Steiner tree.
  • the subtrees that have roots adjacent to nodes of degree one in the tree i.e., nodes that are directly adjacent to the minimal tree) are identified.
  • subtrees define a "cover” and establish the subsets S i1 ,...,S im .
  • the cover encompasses all non-revoked receivers. Accordingly, at block 44 the session key K is encrypted using the subsets keys defined by the cover.
  • each receiver invokes the logic of Figure 6 .
  • the receiver's private information I u which in the complete subtree method consists of its position in the tree and subset keys associated with ancestor nodes, is used to determine this. If an ancestor is found in the message header (indicating that the receiver is a non-revoked receiver), the session key K is decrypted at block 48 using the subset key, and then the message is decrypted using the session key K at block 50.
  • the header includes at most r*log(N/r) subset keys and encryptions. This is also the average number of keys and encryptions. Moreover, each receiver must store log N keys, and each receiver processes the message using at most log log N operations plus a single decryption operation.
  • each receiver must store relatively more keys (.5log 2 N + .5log N +1 keys) than in the complete subtree method, but the message header includes only at most 2r-1 subset keys and encryptions (1.25r on average), and this is substantially shorter than in the complete subtree method. Also, in the subset difference method the message is processed using at most log N applications of a pseudorandom number generator plus a single decryption operation.
  • the subset difference method regards subsets as being the difference between a larger subset A and a smaller subset B that is entirely contained in A. Accordingly, as shown a larger subtree is rooted at node v i and a smaller subtree is rooted at node v j that descends from v i .
  • the resulting subset S i,j consists of all the leaves "yes” under v i except for those leaves labelled "no" (and colored more darkly than the leaves labelled "yes”) under v j .
  • Figure 9 illustrates this, with the subset v i,j being represented by the area within the larger triangle and outside the smaller triangle.
  • a spanning tree is discovered that is defined by the leaves in R, the set of revoked receivers.
  • the spanning tree is the minimal subtree of the full binary tree that connects the "revoked" leaves, and it can be a Steiner tree.
  • a cover tree T is initialized as the spanning tree. An iterative loop then begins wherein nodes are removed from the cover tree and subtrees are added to the cover until the cover tree T has at most one node. The output defines the cover for the non-revoked receivers.
  • leaves v i and v j are found in the cover tree T such that their least common ancestor v contains no other leaves in T.
  • decision diamond 62 it is determined whether v l equals v i . It is likewise determined whether v k equals v j . If v l does not equal v i the logic moves to block 64 to add the subset S l,i to T, remove from T all descendants of v, and make v a leaf. Likewise, if v k does not equal v j the logic moves to block 64 to add the subset S k,j to T, remove from T all descendants of v, and make v a leaf. From block 64 or from decision diamond 62 when no inequality is determined, the logic loops back to block 56.
  • G is a cryptographic pseudorandom sequence generator that triples the input length
  • G_L(S) denotes the third left of the output of G on the seed S
  • G_R(S) denotes the right third
  • G_M(S) denotes the middle third.
  • each label S induces three parts, namely, the labels for the left and right children, and the key of the node. Consequently, given the label of a node it is possible to compute the labels and keys of all its descendants.
  • the function G is a cryptographic hash such as the Secure Hashing Algorithm-1, although other functions can be used.
  • Figure 12 shows how receivers decrypt messages in the subset difference method.
  • the receiver finds the subset S i,j to which it belongs, along with the associated label (which is part of the private information of the receiver that allows it to derive the LABEL i,j and the subset key L i,j ).
  • the receiver computes the subset key L i,j by evaluating the function G at most N times at block 68. Then, the receiver uses the subset key to decrypt the session key K at block 70 for subsequent message decryption.
  • Figure 13 shows how labels and, hence, subset keys, are assigned to receivers in the subset difference method.
  • the labelling method disclosed herein is used to minimize the number of keys that each receiver must store.
  • each receiver is provided with labels of nodes that are not in the direct path between the receiver and the root but that "hang" off the direct path and that are induced by some node v i , an ancestor of u. These labels establish the private information I u of the receiver at block 74, with subsequent message session keys being encrypted with subset keys derived from the labels at block 76.
  • the receiver u receives labels at all nodes 71 that are hanging off the direct path from the node v i to the receiver u. As discussed further below, these labels are preferably all derived from S. In marked contrast to the complete subtree method, in the subset difference method illustrated in Figures 8-14 the receiver u does not receive labels from any node 73 that is in the direct path from the receiver u to the node v i .
  • the receiver u can compute the subset keys of all sets (except the direct path set) that are rooted at the node v i by evaluating the above-described function G, but can compute no other subset keys.
  • a preferred embodiment of the present invention can be used in such scenarios to cure the lack of backwards secrecy by including, in the set of revoked receivers, all receiver identities that have not yet been assigned. This can be done if all receivers are assigned to leaves in consecutive order. In this case, revocation of all unassigned identities results in a moderate increase in message header size, but not proportionally to the number of such identities.
  • a preferred embodiment of the present invention also recognizes that it is desirable to have concise encodings of the subsets i j in the message header and to provide a quick way for a receiver to determine whether it belongs to a subset i j .
  • a node is denoted by its path to the root, with 0 indicating a left branch and 1 indicating a right branch.
  • the end of the path is denoted by a 1 followed by zero or more 0 bits.
  • the root is 1000....000b
  • the rightmost child of the root is 01000...000b
  • the leftmost child is 11000...000b
  • a leaf is xxxx...xxxx1b.
  • the path of a larger subtree's root is a subset of the path of a smaller subtree's root, so that the subset difference can be denoted by the root of the smaller subtree plus the length of the path to the larger subtree's root.
  • a receiver can quickly determine if it is in a given subset by executing the following Intel Pentium ® processor loop.
  • ECX contains the receiver's leaf node
  • ESI points to the message buffer (the first byte is the length of the path to the larger subtree root and the next four bytes are the root of the smaller tree)
  • a static table outputs 32 bits when indexed by the length of the path, with the first length bits being 1 and the remaining bits being 0.
  • a receiver falls out of the loop, it does not necessarily mean that it belongs to the particular subset. It might be in the smaller excluded subtree, and if so, it must return to the loop. However, since in the vast majority of cases the receiver is not even in the larger subtree, almost no processing time is spent in the loop.
  • the system server does not have to remember each and every label, which could run into the millions.
  • the label of the i th node can be a secret function of the node.
  • the secret function could be a triple DES encryption that uses a secret key to render the label of the i th node when applied to the number i.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Reverberation, Karaoke And Other Acoustics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Description

    BACKGROUND OF THE INVENTION 1. Field of the Invention
  • The present invention relates generally to broadcast data encryption that uses encryption keys.
  • 2. Description of the Related Art
  • U.S. Patent No. 6,118,873 discloses a system for encrypting broadcast music, videos, and other content. As set forth therein, only authorized player-recorders can play and/or copy the content and only in accordance with rules established by the vendor of the content. In this way, pirated copies of content, which currently cost content providers billions of dollars each year, can be prevented.
  • In the encryption method disclosed in the above-referenced patent, authorized player-recorders are issued software-implemented device keys from a matrix of device keys. The keys can be issued simultaneously with each other or over time, but in any event, no player-recorder is supposed to have more than one device key per column of the matrix. Although two devices might share the same key from the same column, the chances that any two devices share exactly the same set keys from all the columns of the matrix are very small when keys are randomly assigned. The keys are used to decrypt content.
  • In the event that a device (and its keys) becomes compromised, deliberately or by mistake, it is necessary to revoke the keys of that device. Revoking a set of keys effectively renders the compromised device (and any clones thereof) inoperable to play content that is produced after the revocation. In the above-disclosed patent, for each revocation about 320 message bytes are required. While this is effective, it is desirable to reduce the length of the revocation message even further, for efficiency.
  • While the system disclosed in the above-referenced patent is effective, owing to size constraints of the header area of the message (referred to as "media key block" in the patent), only a relatively limited (10,000 for a 3M header such as DVD-Audio) number of revocations can be made during the life of the system. This number can be increased by increasing the header size, but the added revocations would be applicable only to newly made devices, and not to devices that were made before the header size increase. It is desirable to be able to execute a large number of revocations of both "old" and "new" devices, i.e., to account for stateless receivers. Also, since more than one device can share any particular key with the compromised device in the above-referenced patented invention, revoking a set of device keys might result in revoking some keys held by innocent devices. It is desirable to further reduce the chances of accidentally revoking a "good" device, preferably to zero.
  • Moreover, the present invention is directed to the difficult scenario of "stateless" receivers, i.e., receivers that do not necessarily update their encryption state between broadcasts to accept countermeasures against compromised devices. For example, a television that subscribes to a pay channel might have its set-top box deenergized for a period of time during which updated encryption data might be broadcast over the system. Such a device would be rendered "stateless" if it happens to be unable to update itself after being reenergized, and would thus not possess updates that would be necessary for future content decryption.
  • In addition, there is a growing need for protecting the content of media, such as CDs and DVDs, that is sold to the public and for which it is desirable to prevent unauthorized copying. The recorders in such a system ordinarily do not interact with the players, and no player will get every possible piece of encryption data updates, since no player receives every vended disk. Consequently, as understood herein, content protection of vended media is an example of the problem of broadcast encryption to stateless receivers.
  • Moreover, the presence of more than a few "evil" manufacturers (i.e., manufacturers who legally or illegally obtain keys but who in any case make many unauthorized devices having the keys) can be problematic. It is desirable to account for potentially many "evil" manufacturers.
  • Other methods for broadcast encryption include those disclosed in Fiat et al., Broadcast Encryption, Crypto '93, LNCS vol. 839, pp. 257-270 (1994). This method envisions removing any number of receivers as long as at most "t" of them collude with each other. However, the Fiat et al. method requires relatively large message lengths, a relatively large number of keys be stored at the receiver, and each receiver must perform more than a single decryption operation. Furthermore, the Fiat et al. method does not envision the stateless receiver scenario. There is a need to avoid assuming a priori how many receivers might collude. Also, the message size and number of stored keys be minimized, and that the number of decryption operations that must be performed by a receiver be minimized, to optimize performance.
  • Other encryption systems, like the Fiat et al. system, do not provide for the scenario of stateless receivers, and thus cannot effectively be applied as is to content protection of recorded media. Examples of such systems include the tree-based logical key hierarchy systems disclosed in Wallner et al., Key Management for Multicast: Issues and Architectures, IETF draft wallner-key, 1997; Wong et al., Secure Group Communication Using Key Graphs, SIGCOMM 1998; Canetti et al., Multicast Security: A Taxonomy and Some Efficient Constructions, Proc. of INFOCOM '99, vol. 2, pp. 708-716 (1999); Canetti et al., Efficient Communication-Storage Tradeoffs for Multicast Encryption, Eurocrypt 1999, pp. 459-474; and McGrew et al., Key Establishment in Large Dynamic Groups Using One-Way Function Trees, submitted to IEEE Transactions on Software Engineering (1998).
  • With more specificity regarding the methods of Wallner et al. and Wong et al., keys are assigned by assigning an independent label to each node in a binary tree. Unfortunately, in the referenced methods some of the labels change at every revocation. Clearly, as is, the method would be inappropriate for the stateless receiver scenario. Even were a batch of revocations to be associated with a single label change for every node, the referenced methods of Wallner et al. and Wong et al. would require at least log N decryptions at the receiver and the transmission of rlogN encryptions (wherein r is the number of devices to be revoked and N is the total number of receivers in the system), unfortunately a relatively high number.
  • SUMMARY OF THE INVENTION
  • The present invention accordingly provides a method for broadcast encryption, comprising: assigning each user in a group of users respective private information Iu; selecting at least one session encryption key K; partitioning users not in a revoked set R into disjoint subsets Si1,...Sim having associated subset keys Li1,...Lim; and encrypting the session key K with the subset keys Li1,...,Lim to render m encrypted versions of the session key K.
  • The method preferably further comprises partitioning the users into groups S1, ...,Sw, wherein "w" is an integer, and the groups establish subtrees in a tree.
  • Preferably, the tree is a complete binary tree.
  • The method preferably further comprises using private information Iu to decrypt the session key.
  • Suitably, the act of decrypting includes using information ij such that a user belongs to a subset Sij, and retrieving a subset key Lij using the private information of the user.
  • Preferably, each subset Si1,...Sim includes all leaves in a subtree rooted at some node vi, at least each node in the subtree being associated with a respective subset key.
  • Preferably, content is provided to users in at least one message defining a header, and the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of users in the revoked set R and N is the total number of users.
  • Preferably, each user must store log N keys, wherein N is the total number of users.
  • Preferably, content is provided to users in at least one message, and wherein each user processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of users.
  • Preferably, the revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • Preferably, the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi.
  • Preferably, content is provided to users in at least one message defining a header, and the header includes at most 2r-1 subset keys and encryptions, wherein r is the number of users in the revoked set R.
  • Preferably, each user must store .5log2 N + .5log N +1 keys, wherein N is the total number of users.
  • Preferably, content is provided to users in at least one message, and wherein each user processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of users.
  • Preferably, the revoked set R defines a spanning tree, and the method includes: initializing a cover tree T as the spanning tree; iteratively removing nodes from the cover tree T and adding nodes to a cover until the cover tree T has at most one node.
  • Preferably, each node has at least one label possibly induced by at least one of its ancestors, and wherein each user is assigned labels from all nodes hanging from a direct path between the user and the root but not from nodes in the direct path.
  • Preferably, labels are assigned to subsets using a pseudorandom sequence generator, and the act of decrypting includes evaluating the pseudorandom sequence generator.
  • Preferably, content is provided to users in at least one message having a header including a cryptographic function EL, and the method includes prefix-truncating the cryptographic function EL.
  • Preferably, the tree includes a root and plural nodes, each node having an associated key, and wherein each user is assigned keys from all nodes in a direct path between a leaf representing the user and the root.
  • Preferably, content is provided to users in at least one message defining plural portions, and each portion is encrypted with a respective session key.
  • The present invention suitably provides a computer program device, comprising: a computer program storage device including a program of instructions usable by a computer, comprising: logic means for accessing a tree to identify plural subset keys; logic means for encrypting a message with a session key; logic means for encrypting the session key at least once with each of the subset keys to render encrypted versions of the session key; and logic means for sending the encrypted versions of the session key in a header of the message to plural stateless receivers.
  • The computer program device preferably further comprises logic means for partitioning receivers not in a revoked set R into disjoint subsets Si1, ...Sim having associated subset keys Li1, ... , Lim.
  • The computer program device preferably further comprises logic means for partitioning the users into groups S1, ...,Sw, wherein "w" is an integer, and the groups establish subtrees in a tree.
  • The computer program device preferably further comprises logic means for using private information Iu to decrypt the session key.
  • Preferably, the means for decrypting includes logic means for using information ij such that a receiver belongs to a subset Sij, and retrieving a key Lij from the private information of the receiver.
  • Preferably, each subset Si1,....Sim includes all leaves in a subtree rooted at some node vi, at least each node in the subtree being associated with a respective subset key.
  • Preferably, logic means provide content to receivers in at least one message defining a header, and the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of receivers in the revoked set R and N is the total number of receivers.
  • Preferably, each receiver must store log N keys, wherein N is the total number of receivers.
  • Preferably, logic means provide content to receivers in at least one message, and wherein each receiver processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • Preferably, the revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • Preferably, the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi.
  • Preferably, means provide content to receivers in at least one message defining a header, and the header includes at most 2r-1 subset keys and encryptions, wherein r is the number of receivers in the revoked set R.
  • Preferably, each receiver must store .5log2 N + .5log N +1 keys, wherein N is the total number of receivers.
  • Preferably, logic means provide content to receivers in at least one message, and wherein each receiver processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • Preferably, the revoked set R defines a spanning tree, and the computer program device includes: logic means for initializing a cover tree T as the spanning tree; and logic means for iteratively removing nodes from the cover tree T and adding nodes to a cover until the cover tree T has at most one node.
  • Preferably, logic means assign labels to receivers using a pseudorandom sequence generator, and the labels induce subset keys.
  • Preferably, the means for decrypting includes evaluating the pseudorandom sequence generator.
  • Preferably, logic means provide content to receivers in at least one message having a header including a cryptographic function EL, and the computer program device includes logic means for prefix-truncating the cryptographic function EL.
  • Preferably, the tree includes a root and plural nodes, each node having an associated key, and wherein logic means assign each receiver keys from all nodes in a direct path between a leaf representing the receiver and the root.
  • Preferably, logic means provide content to receivers in at least one message defining plural portions, and each portion is encrypted with a respective session key.
  • The present invention suitably provides a computer programmed with instructions to cause the computer to execute method acts including: encrypting broadcast content; and sending the broadcast content to plural stateless good receivers and to at least one revoked receiver such that each stateless good receiver can decrypt the content and the revoked receiver cannot decrypt the content.
  • Preferably, the method acts further comprise: assigning each receiver in a group of receivers respective private information Iu; selecting at least one session encryption key K; partitioning all receivers not in a revoked set R into disjoint subsets Si1,...Sim having associated subset keys Li1, ...,Lim; and encrypting the session key K with the subset keys Li1,...,Lim to render m encrypted versions of the session key K.
  • Preferably, the method acts undertaken by the computer further comprise partitioning the users into groups S1,...,Sw, wherein "w" is an integer, and the groups establish subtrees in a tree.
  • Preferably, the tree is a complete binary tree.
  • Preferably, the method acts include using private information Iu to decrypt the session key.
  • Preferably, the act of decrypting undertaken by the computer includes using information ij such that a receiver belongs to a subset Sij, and retrieving a key Lij using the private information of the receiver.
  • Preferably, each subset Si1,...Sim includes all leaves in a subtree rooted at some node vi, at least each node in the subtree being associated with a respective subset key.
  • Preferably, content is provided to receivers in at least one message defining a header, and the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of receivers in the revoked set R and N is the total number of receivers.
  • Preferably, each receiver must store log N keys, wherein N is the total number of receivers.
  • Preferably, content is provided to receivers in at least one message, and wherein each receiver processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • Preferably, the revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • Preferably, the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi.
  • Preferably, content is provided to receivers in at least one message defining a header, and the header includes at most 2r-1 subset keys and encryptions, wherein r is the number of receivers in the revoked set R.
  • Preferably, each receiver must store .5log2 N + .5log N +1 keys, wherein N is the total number of receivers.
  • Preferably, content is provided to receivers in at least one message, and wherein each receiver processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • Preferably, the revoked set R defines a spanning tree, and wherein the method acts undertaken by the computer further include: initializing a cover tree T as the spanning tree; iteratively removing nodes from the cover tree T and adding nodes to a cover until the cover tree T has at most one node.
  • Preferably, the computer assigns node labels to receivers from the tree using a pseudorandom sequence generator.
  • Preferably, the act of decrypting undertaken by the computer includes evaluating the pseudorandom sequence generator.
  • Preferably, content is provided to receivers in at least one message having a header including a cryptographic function EL, and the method acts undertaken by the computer include prefix-truncating the cryptographic function EL.
  • Preferably, content is provided to receivers in at least one message defining plural portions, and each portion is encrypted by the computer with a respective session key.
  • Preferably, each node has plural labels with each ancestor of the node inducing a respective label, and wherein each user is assigned labels from all nodes hanging from a direct path between the user and the root but not from nodes in the direct path.
  • The present invention suitably comprises a method for broadcast encryption, comprising: assigning each user in a group of users respective private information Iu; selecting at least one session encryption key K; partitioning all users into groups S1,...,Sw, wherein "w" is an integer, and the groups establish subtrees in a tree; partitioning users not in a revoked set R into disjoint subsets Si1,...Sim having associated subset keys Li1, ...Lim; and encrypting the session key K with the subset keys Li1, ..., Lim to render m encrypted versions of the session key K, wherein the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi.
  • The present invention suitably comprises a potentially stateless receiver in a multicast system, comprising: at least one data storage device storing plural labels of nodes that are not in a direct path between the receiver and a root of a tree having a leaf representing the receiver, but that hang off the direct path and that are induced by some node vi, an ancestor of the leaf representing the receiver, the labels establishing private information Iu of the receiver usable by the receiver to decrypt subset keys derived from the labels.
  • Preferably, the receiver computes the subset keys of all sets except a direct path set that are rooted at the node vi by evaluating a pseudorandom function, but can compute no other subset keys.
  • Preferably, the receiver decrypts a session key using at least one subset key, the session key being useful for decrypting content.
  • The present invention suitably comprises a receiver of content, comprising: means for storing respective private information Iu; means for receiving at least one session encryption key K encrypted with plural subset keys, the session key encrypting content; and means for obtaining at least one subset key using the private information such that the session key K can be decrypted to play the content.
  • Preferably, the receiver is partitioned into one of a set of groups S1,...,Sw, wherein "w" is an integer, and the groups establish subtrees in a tree defining nodes and leaves.
  • Preferably, subsets Si1,...,Sim derived from the set of groups S1,...,Sw define a cover.
  • Preferably, the receiver receives content in at least one message defining a header, and the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of receivers in a revoked set R and N is the total number of receivers.
  • Preferably, the receiver must store log N keys, wherein N is the total number of receivers.
  • Preferably, the receiver receives content in at least one message defining a header, and wherein the receiver processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • Preferably, a revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • Preferably, the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi.
  • Preferably, the receiver receives content in a message having a header including at most 2r-1 subset keys and encryptions, wherein r is the number of receivers in the revoked set R.
  • Preferably, the receiver must store .5log2 N + .5log N +1 keys, wherein N is the total number of receivers.
  • Preferably, content is provided to the receiver in at least one message, and wherein the receiver processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • Preferably, the receiver decrypts the subset key by evaluating a pseudorandom sequence generator.
  • Suitably, the present invention comprises a receiver of content, comprising: a data storage storing respective private information Iu; a processing device receiving at least one session encryption key K encrypted with plural subset keys, the session key encrypting content, the processing device obtaining at least one subset key using the private information such that the session key K can be decrypted to play the content.
  • Preferably, the receiver is partitioned into one of a set of groups S1,...,Sw, wherein "w" is an integer, and the groups establish subtrees in a tree.
  • Preferably, subsets Si1,...,Sim derived from the set of groups S1,...,Sw define a cover.
  • Preferably, the receiver receives content in at least one message defining a header, and the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of receivers in a revoked set R and N is the total number of receivers.
  • Preferably, the receiver must store log N keys, wherein N is the total number of receivers.
  • Preferably, the receiver receives content in at least one message defining a header, and wherein the receiver processes the message using at most log log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • Preferably, one revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  • Preferably, the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi.
  • Preferably, the receiver receives content in a message having a header including at most 2r-1 subset keys and encryptions, wherein r is the number of receivers in the revoked set R.
  • Preferably, the receiver must store .5log2 N + .5log N +1 keys, wherein N is the total number of receivers.
  • Preferably, content is provided to the receiver in at least one message, and wherein the receiver processes the message using at most log N operations plus a single decryption operation, wherein N is the total number of receivers.
  • Preferably, the receiver decrypts the subset key by evaluating a pseudorandom sequence generator.
  • The present invention suitably comprises a medium holding a message of content of the general form <[i1, i2, ... , im, ELi1(K), ELi2 (K) ,..., ELim (K)] , FK(M) >, wherein K is a session key, FK is an encryption primitive, EK is an encryption primitive, Li are subset keys associated with subsets of receivers in an encryption broadcast system, M is a message body, and i1, i2,...,im are tree node subsets defining a cover.
  • Preferably, the encryption primitive FK is implemented by XORing the message body M with a stream cipher generated by the session key K.
  • Preferably, EL is a Prefix-Truncation specification of a block cipher, 1 represents a random string whose length equals the block length of EL, and K is a short key for FK, and the message is of the form < i 1 , i 2 , , i m , U , Prefix - K - E Li 1 U / K , , Prefix - K - E Lim U / K , F K M > .
    Figure imgb0001
  • Preferably, 1/ij is encrypted and the message is of the form < i 1 , i 2 , , i m , U , Prefix - L - E Li 1 U / i l / K , , Prefix - L - E Lim U / i m / K , F K M > .
    Figure imgb0002
  • Preferably, the subset keys are derived from a tree including a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi.
  • Preferably, the subset keys are derived from a tree including a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node vi, at least each node in the subtree being associated with a respective subset key.
  • Preferably, the act of partitioning is undertaken by a system computer in a system of receivers separate from the system computer.
  • Preferably, the act of partitioning is undertaken by a receiver computer.
  • Preferably, the receiver derives the subsets in the cover.
  • The invention suitably includes a computer system for undertaking the inventive logic set forth herein. The invention can also be embodied in a computer program product that stores the present logic and that can be accessed by a processor to execute the logic. Also, the invention may suitably include a computer-implemented method that follows the logic disclosed below.
  • The invention suitably includes a method for grouping users into (possibly overlapping) subsets of users, each subset having a unique, preferably long-lived subset key, and assigning each user respective private information Iu. The method also suitably includes selecting at least one preferably short-lived session encryption key K, and partitioning users not in a revoked set R into disjoint subsets Si1,...Sim having associated subset keys Li1,...,Lim. The session key K is suitably encrypted with the subset keys Li1, ...,Lim to render m encrypted versions of the session key K. In one aspect, the users can establish leaves in a tree such as a complete binary tree, and the subsets Si1,...Sim are induced by the tree.
  • In a preferred embodiment, the users are initially partitioned into groups S1,...,Sw, wherein "w" is an integer. A given transmission suitably selects m such groups as a "cover" for non-revoked users, with the cover being defined by the set of revoked users. The "cover" groups suitably establish subtrees (either complete subtrees or a difference between two subtrees) in a tree. A user's private information Iu is preferably found as information ij in a transmitted message that indicates that a user belongs to a subset Sij of one of the groups S1,...,Sw. A subset key Lij can then be obtained from or derived using the private information of the user.
  • In a first embodiment, referred to herein as the "complete subtree" method, respective groups correspond to all possible subtrees in the complete tree. Each user is assigned keys from all nodes that are in a direct path between a leaf representing the user and the root of the tree. In other words, each subset Si includes all leaves in a subtree rooted at some node vi, with at least each node in the subtree being associated with a respective subset key. In this embodiment, content is provided to users in a message defining a header, and the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of users in the revoked set R and N is the total number of users. Moreover, each user must store log N keys, and each user processes the message using at most log log N operations plus a single decryption operation.
  • In a second embodiment, referred to herein as the "subset difference" method, respective groups of users correspond to a universe of sets S1,...,Sw that can be described as "a first subtree A minus a second subtree B that is entirely contained in A". Each node in this tree has a set of labels, one unique to the node and others that are induced by ancestor nodes. Each user is assigned labels from all nodes hanging from nodes in a direct path between the receiver and the root (at most logN labels from each such node), but not from nodes in the direct path itself. In other words, each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi. One of the labels of the subset difference nodes for a particular user are provided to the user in a transmission as that user's private information. Using the labels, the user can generate the subset keys necessary for decryption.
  • In this embodiment, the message header includes at most 2r-1 (1.25r on average) subset keys and encryptions, each user must store .5log2 N + .5log N +1 keys, and each user processes the message using at most log N operations (preferably applications of a pseudorandom generator) plus a single decryption operation.
  • As disclosed further below with respect to the subset difference method, the revoked set R defines a spanning tree. A cover tree T is initialized as the spanning tree, and then the method iteratively removes nodes from the cover tree T and adds subtrees to the cover tree T until the cover tree T has at most one node. The cover tree T is used to identify subset keys to be used in a particular transmission, with users evaluating the pseudorandom sequence generator to derive subset keys from the labels. Preferably, for processing efficiency revocations are processed in order from left to right such that only two revocations at a time must be kept in memory.
  • In some specific implementations, the message header includes a cryptographic function EL, and the method includes prefix-truncating the cryptographic prefix function EL. If desired, portions of the message can be encrypted with respective session keys.
  • In another aspect, a computer program device suitably includes a computer program storage device that in turn includes a program of instructions that can be used by a computer. The program includes logic means for accessing a tree to obtain plural subset keys, and logic means for encrypting a message with a session key. Logic means are also provided for encrypting the session key at least once with each of the subset keys to render encrypted versions of the session key. Then, logic means send the encrypted versions of the session key in a header of the message to plural stateless receivers.
  • In yet another aspect, a computer is suitably programmed with instructions to cause the computer to encrypt broadcast content, and send the broadcast content to plural stateless good receivers and to at least one revoked receiver such that each stateless good receiver can decrypt the content and the revoked receiver cannot decrypt the content.
  • In another aspect, a potentially stateless receiver u in a broadcast encryption system suitably includes a data storage storing respective private information Iu, and a processing device that receives a session encryption key K which is encrypted with plural subset keys. The session key encrypts content, with the processing device obtaining at least one subset key using the private information such that the session key K can be decrypted to play the content. In a preferred embodiment, the receiver is partitioned into one of a set of groups S1,...,Sw, wherein "w" is an integer, and the groups establish subtrees in a tree. Subsets Si1,...,Sim derived from the set of groups S1,...,Sw define a cover that is calculated by the receiver or by a system computer. Preferably, the tree includes a root and plural nodes, with each node having at least one associated label. Each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi.
  • In another aspect, a medium suitably holds a message of content of the general form < [i1, i2,...,im, ELi1(K), ELi2 (K) ,...,ELim (K)], FK (M) >, wherein K is a session key, FK is an encryption primitive, EK is an encryption primitive, Li are subset keys associated with subsets of receivers in an encryption broadcast system, M is a message body, and i1, i2,...,im are tree node subsets defining a cover.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • Preferred embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
    • Figure 1 is a block diagram of the present system;
    • Figure 2 is a flow chart of the overall encryption logic;
    • Figure 3 is a flow chart of the overall decryption logic;
    • Figure 4 is a flow chart of the key assignment portion of the complete subtree method;
    • Figure 5 is a flow chart of the encryption portion of the complete subtree method;
    • Figure 6 is a flow chart of the decryption portion of the complete subtree method;
    • Figure 7 is a schematic diagram of a subset of a complete subtree;
    • Figure 8 is a schematic diagram of a subset in the subset difference method; and
    • Figure 9 is another form of a schematic diagram of the subset in the subset difference method.
    • Figure 10 is a flow chart of the logic for defining a cover in the subset difference method;
    • Figure 11 is a schematic diagram of a subset of a tree in the subset difference method, illustrating key assignment;
    • Figure 12 is a flow chart of the decryption portion of the subset difference method;
    • Figure 13 is a flow chart of the logic for assigning keys in the subset difference method; and
    • Figure 14 is a schematic diagram of a subset of a tree in the subset difference method.
    DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Referring initially to Figure 1, a system is shown, generally designated 10, for generating sets of keys in a broadcast content guard system, such as but not limited to the system disclosed in the above-referenced patent. By "broadcast" is meant the wide dissemination of a program from a content provider to many users simultaneously over cable (from a satellite source), or wire, or radiofrequency (including from a satellite source), or from widely marketed content disks.
  • As shown, the system 10 includes a key set definition computer 12 that accesses a key set definition module 14 that functions in accordance with disclosure below. The key sets defined by the computer 12 are used by potentially stateless player-recorder devices 16, also referred to herein as "receivers" and "users", that have processors inside them to decrypt content. The content along with certain keys disclosed below are provided to the respective devices via, e.g., device manufacturers 16 on media 17. A player-recorder device can access its key set to decrypt the content on media or broadcast to it via wireless communication. As used herein "media" can include but is not limited to DVDs, CDs, hard disk drives, and flash memory devices. In an alternative embodiment, each receiver 16 could execute the module 14 to undertake the step of calculating the below-disclosed "cover" by being given the set of revoked receivers and undertaking the logic set forth below.
  • It is to be understood that the processor associated with the module 14 accesses the modules to undertake the logic shown and discussed below, which may be executed by a processor as a series of computer-executable instructions. Two methods - the complete subtree method, and the subset difference method - are disclosed herein for using the system 10 to selectively revoke the ability of compromised receivers 16 to decrypt broadcast content without revoking the ability of any non- compromised receiver 16 to decrypt broadcast content.
  • The instructions may be contained on a data storage device with a computer readable medium, such as a computer diskette having a computer usable medium with computer readable code elements stored thereon. Or, the instructions may be stored on a DASD array, magnetic tape, conventional hard disk drive, electronic read-only memory, optical storage device, or other appropriate data storage device. In an illustrative embodiment of the invention, the computer-executable instructions may be lines of compiled C++ compatible code.
  • Indeed, the flow charts herein illustrate the structure of the logic of a preferred embodiment of the present invention as embodied in computer program software. Those skilled in the art will appreciate that the flow charts illustrate the structures of computer program code elements including logic circuits on an integrated circuit, that function according to this invention. Manifestly, the invention is practiced in its essential embodiment by a machine component that renders the program code elements in a form that instructs a digital processing apparatus (that is, a computer) to perform a sequence of function acts corresponding to those shown.
  • The overall logic of a preferred embodiment of the present invention as embodied by both the subset difference method and complete subtree method can be seen in reference to Figure 2. For purposes of the present disclosure, assume that N receivers 16 exist in the system 10, and that it is desirable to be able to revoke the ability of r receivers in a revoked receiver subset R to decrypt content even if the revoked receivers act in a coalition (by sharing encryption knowledge), such that any receiver can still decrypt content. Commencing at block 19, the system is initiated by assigning long-lived subset keys L1,...,Lw to corresponding subsets in a universe of subsets S1,...,Sw into which receivers are grouped in accordance with the disclosure below, with each subset Sj thus having a long-lived subset key Lj associated with it. In the first ("complete subtree") method, the subsets covering receivers not in a revoked set are simply the subtrees that are generated per the disclosure below. In the second ("subset difference") method, the subsets covering receivers not in a revoked set are defined by the difference between a first subtree and a smaller subtree that is entirely within the first subtree as set forth further below.
  • At block 20, the system is further initiated by supplying each receiver u with private information Iu that is useful for decrypting content. Details of the private information Iu are set forth further below. If Iu is the secret information provided to receiver u, then each receiver u in Sj can deduce Lj from its Iu. As set forth more fully below, given the revoked set R, the non-revoked receivers are partitioned into m disjoint subsets Si1,...,Sim and a short-lived session key K is encrypted m times with the long-lived subset keys Li1,...,Lim associated with respective subsets Si1,...,Sim. The subset keys are explicit subset keys in the complete subtree method and are induced by subset labels in the subset difference method.
  • Specifically, at block 22 at least one session key K is selected with which to encrypt content that is broadcast in a message M, either via wireless or wired communication paths or via storage media such as CDs and DVDs. The session key K is a random string of bits that is selected anew for each message. If desired, plural session keys can be used to encrypt respective portions of the message M.
  • In both of the below-described methods, non-revoked receivers are partitioned into disjoint subsets Si1,...Sim at block 24 using a tree. The subsets are sometimes referred to herein as "subtrees", with the first method explicitly considering subtrees and the second method regarding subtrees as being of the form "a first subtree minus a second subtree entirely contained in the first". Each subset Si1,..., Sim is associated with a respective subset key Li1,...,Lim. While any data tree-like structure is contemplated herein, for disclosure purposes it is assumed that the tree is a full binary tree.
  • Proceeding to block 26, in general the session key K is encrypted m times, once with each subset key Li1,...,Lim. The resulting ciphertext that is broadcast can be represented as follows, with portions between the brackets representing the header of the message M and with i1, i2,...,im representing indices of the disjoint subsets: < i 1 , i 2 , , i m , E Li 1 K , E Li 2 K , , E Lim K , F k M >
    Figure imgb0003
  • In one embodiment, the encryption primitive Fk is implemented by XORing the message M with a stream cipher generated by the session key K. The encryption primitive EL is a method for delivering the session key K to the receivers 16, using the long-lived subset keys. It is to be understood that all encryption algorithms for FK, EL are within the scope of a preferred embodiment of the present invention. One preferred implementation of EL can be a Prefix-Truncation specification of a block cipher. Assume 1 represents a random string whose length equals the block length of EL, and assume that K is a short key for the cipher FK whose length is, e.g., 56 bits. Then, [Prefix-K-EL(1)/K] provides a strong encryption. Accordingly, the Prefix-Truncated header becomes: < i 1 , i 2 , , i m , U , Prefix - K - E Li 1 U / K , , Prefix - K - E Lim U / K , F K M >
    Figure imgb0004
  • This advantageously reduces the length of the header to about m-K-bits instead of m-L-. In the case where the key length of EL is minimal, the following can be used to remove the factor m advantage that an adversary has in a brute-force attack which results from encrypting the same string 1 with m different keys. The string 1/ij is encrypted. That is, < i 1 , i 2 , , i m , U , Prefix - L - E Li 1 U / i l / K , , Prefix - L - E Lim U / i m / K , F K M >
    Figure imgb0005
  • Having described preferred, non-limiting ways to implement the encryption primitives E and F, attention is now directed to Figure 3, which shows the decryption logic undertaken by the receivers 16. Commencing at block 28, each non-revoked receiver u finds a subset identifier ij in the ciphertext such that it belongs to the subset Sij. As disclosed further below, if the receiver is in the revoked set R, the result of block 28 will be null. Next, at block 30 the receiver extracts the subset key Lij corresponding to the subset Sij using its private information Iu. Using the subset key, the session key K is determined at block 32, and then the message decrypted at block 34 using the session key K.
  • Two preferred methods for undertaking the above-described overall logic are disclosed below. In each, the collection of subsets is specified, as is the way keys are assigned to the subsets and a method to cover non-revoked receivers using disjoint subsets from the collection. In each, the set of receivers in the system establishes the leaves of a tree, such as but not limited to a full binary tree.
  • The first method to be discussed is the complete subtree method shown in Figures 4-7. Commencing at block 36 in Figure 4, an independent and random subset key Li is assigned to each node vi in the tree. This subset key Li corresponds to a subset containing all leaves rooted at node vi. Then, at block 38 each receiver u is provided with all subset keys in the direct path from the receiver to the root. As illustrated in brief reference to Figure 7, the receivers u in the subset Si are provided with the subset key Li associated with the node vi, as well as with the keys associated with the node P, which lies between the receivers in Si and the root of the tree.
  • When it is desired to send a message and revoke the ability of some receivers from decrypting the message, the logic of Figure 5 is invoked to partition non-revoked receivers into disjoint subsets. Commencing at block 40, a spanning tree is discovered that is defined by the leaves in R, the set of revoked receivers. The spanning tree is the minimal subtree of the full binary tree that connects the "revoked" leaves, and it can be a Steiner tree. Proceeding to block 42, the subtrees that have roots adjacent to nodes of degree one in the tree (i.e., nodes that are directly adjacent to the minimal tree) are identified. These subtrees define a "cover" and establish the subsets Si1,...,Sim. The cover encompasses all non-revoked receivers. Accordingly, at block 44 the session key K is encrypted using the subsets keys defined by the cover.
  • To decrypt the message, each receiver invokes the logic of Figure 6. Commencing at block 46, it is determined whether any ancestor node of the receiver is associated with a subset key of the cover by determining whether any ancestor node is among the set i1, i2,...im in the message header. The receiver's private information Iu, which in the complete subtree method consists of its position in the tree and subset keys associated with ancestor nodes, is used to determine this. If an ancestor is found in the message header (indicating that the receiver is a non-revoked receiver), the session key K is decrypted at block 48 using the subset key, and then the message is decrypted using the session key K at block 50.
  • In the complete subtree method, the header includes at most r*log(N/r) subset keys and encryptions. This is also the average number of keys and encryptions. Moreover, each receiver must store log N keys, and each receiver processes the message using at most log log N operations plus a single decryption operation.
  • Now referring to Figures 8-13, the subset difference method for revoking receivers can be seen. In the subset difference method, each receiver must store relatively more keys (.5log2 N + .5log N +1 keys) than in the complete subtree method, but the message header includes only at most 2r-1 subset keys and encryptions (1.25r on average), and this is substantially shorter than in the complete subtree method. Also, in the subset difference method the message is processed using at most log N applications of a pseudorandom number generator plus a single decryption operation.
  • Referring Figures 8 and 9, the subset difference method regards subsets as being the difference between a larger subset A and a smaller subset B that is entirely contained in A. Accordingly, as shown a larger subtree is rooted at node vi and a smaller subtree is rooted at node vj that descends from vi. The resulting subset Si,j consists of all the leaves "yes" under vi except for those leaves labelled "no" (and colored more darkly than the leaves labelled "yes") under vj. Figure 9 illustrates this, with the subset vi,j being represented by the area within the larger triangle and outside the smaller triangle.
  • When it is desired to send a message and revoke the ability of some receivers from decrypting the message in the subset difference method, the above-described structure is used as shown in Figure 10. Commencing at block 52, a spanning tree is discovered that is defined by the leaves in R, the set of revoked receivers. The spanning tree is the minimal subtree of the full binary tree that connects the "revoked" leaves, and it can be a Steiner tree. Proceeding to block 54, a cover tree T is initialized as the spanning tree. An iterative loop then begins wherein nodes are removed from the cover tree and subtrees are added to the cover until the cover tree T has at most one node. The output defines the cover for the non-revoked receivers.
  • More specifically, moving from block 54 to block 56, leaves vi and vj are found in the cover tree T such that their least common ancestor v contains no other leaves in T. At decision diamond 57 it is determined whether only one leaf exists in the cover tree T. If more than a single leaf exists, the logic moves to block 58 to find nodes vi, vk in v such that vi descends from vl and vj descends from vk and such that vl, vk are children of v (i.e., are direct descendants of v without any intervening nodes between v and vl, vk). In contrast, when only a single leaf exists in T, the logic moves from decision diamond 57 to block 60 to set vi = vj = sole remaining leaf, place v at the root of T, and set vl = vk = root.
  • From block 58 or 60 the logic moves to decision diamond 62. At decision diamond 62, it is determined whether vl equals vi. It is likewise determined whether vk equals vj. If vl does not equal vi the logic moves to block 64 to add the subset Sl,i to T, remove from T all descendants of v, and make v a leaf. Likewise, if vk does not equal vj the logic moves to block 64 to add the subset Sk,j to T, remove from T all descendants of v, and make v a leaf. From block 64 or from decision diamond 62 when no inequality is determined, the logic loops back to block 56.
  • With the above overall view of the subset difference key assignment method in mind, a particularly preferred implementation is now set forth. While the total number of subsets to which a receiver belongs is as large as N, these subsets can be grouped into logN clusters defined by the first subset i (from which another subset is subtracted). For each 1<i<N corresponding to an internal node in the full tree, an independent and random label LABELi is selected, which induces the labels for all legitimate subsets of the form Si,j. From the labels, the subset keys are derived. Figure 11 illustrates the preferred labelling method discussed below. The node labelled Li is the root of the subtree Ti, and its descendants are labelled according to present principles.
  • If G is a cryptographic pseudorandom sequence generator that triples the input length, G_L(S) denotes the third left of the output of G on the seed S, G_R(S) denotes the right third, and G_M(S) denotes the middle third. Consider the subtree Ti of the cover tree T rooted at the node vi with label LABELi. If this node is labelled S, its two children are labelled G_L(S) and G_R(S) respectively. The subset key Li,j assigned to the set Si,j is the G_M of the label of LABELi,j of node vj derived in the subtree Ti. Note that each label S induces three parts, namely, the labels for the left and right children, and the key of the node. Consequently, given the label of a node it is possible to compute the labels and keys of all its descendants. In one preferred embodiment, the function G is a cryptographic hash such as the Secure Hashing Algorithm-1, although other functions can be used.
  • Figure 12 shows how receivers decrypt messages in the subset difference method. Commencing at block 66, the receiver finds the subset Si,j to which it belongs, along with the associated label (which is part of the private information of the receiver that allows it to derive the LABELi,j and the subset key Li,j). Using the label, the receiver computes the subset key Li,j by evaluating the function G at most N times at block 68. Then, the receiver uses the subset key to decrypt the session key K at block 70 for subsequent message decryption.
  • Figure 13 shows how labels and, hence, subset keys, are assigned to receivers in the subset difference method. The labelling method disclosed herein is used to minimize the number of keys that each receiver must store.
  • Commencing at block 72, each receiver is provided with labels of nodes that are not in the direct path between the receiver and the root but that "hang" off the direct path and that are induced by some node vi, an ancestor of u. These labels establish the private information Iu of the receiver at block 74, with subsequent message session keys being encrypted with subset keys derived from the labels at block 76.
  • Referring briefly to Figure 14, the above principle is illustrated. For every vi ancestor with label S of a receiver u, the receiver u receives labels at all nodes 71 that are hanging off the direct path from the node vi to the receiver u. As discussed further below, these labels are preferably all derived from S. In marked contrast to the complete subtree method, in the subset difference method illustrated in Figures 8-14 the receiver u does not receive labels from any node 73 that is in the direct path from the receiver u to the node vi. Using the labels, the receiver u can compute the subset keys of all sets (except the direct path set) that are rooted at the node vi by evaluating the above-described function G, but can compute no other subset keys.
  • Conventional multicast systems lack backward secrecy, i.e., a constantly listening receiver that has been revoked nonetheless can record all encrypted content, and then sometime in the future gain a valid new key (by, e.g., re-registering) which allows decryption of past content. A preferred embodiment of the present invention can be used in such scenarios to cure the lack of backwards secrecy by including, in the set of revoked receivers, all receiver identities that have not yet been assigned. This can be done if all receivers are assigned to leaves in consecutive order. In this case, revocation of all unassigned identities results in a moderate increase in message header size, but not proportionally to the number of such identities.
  • A preferred embodiment of the present invention also recognizes that it is desirable to have concise encodings of the subsets ij in the message header and to provide a quick way for a receiver to determine whether it belongs to a subset ij. Assume that a node is denoted by its path to the root, with 0 indicating a left branch and 1 indicating a right branch. The end of the path is denoted by a 1 followed by zero or more 0 bits. Thus, the root is 1000....000b, the rightmost child of the root is 01000...000b, the leftmost child is 11000...000b, and a leaf is xxxx...xxxx1b.
  • As recognized herein, the path of a larger subtree's root is a subset of the path of a smaller subtree's root, so that the subset difference can be denoted by the root of the smaller subtree plus the length of the path to the larger subtree's root. With this in mind, a receiver can quickly determine if it is in a given subset by executing the following Intel Pentium® processor loop.
  • Outside the loop, the following registers are set up: ECX contains the receiver's leaf node, ESI points to the message buffer (the first byte is the length of the path to the larger subtree root and the next four bytes are the root of the smaller tree), and a static table outputs 32 bits when indexed by the length of the path, with the first length bits being 1 and the remaining bits being 0.
    Figure imgb0006
  • If a receiver falls out of the loop, it does not necessarily mean that it belongs to the particular subset. It might be in the smaller excluded subtree, and if so, it must return to the loop. However, since in the vast majority of cases the receiver is not even in the larger subtree, almost no processing time is spent in the loop.
  • In a further optimization of the subset difference method, the system server does not have to remember each and every label, which could run into the millions. Instead, the label of the ith node can be a secret function of the node. The secret function could be a triple DES encryption that uses a secret key to render the label of the ith node when applied to the number i.

Claims (11)

  1. A method for broadcast encryption, comprising:
    assigning each user in a group of users respective private information Iu;
    selecting at least one session encryption key K;
    partitioning users not in a revoked set R into disjoint subsets Si1,... Sim having associated subset keys Li1,....Lim; and
    encrypting the session key K with the subset keys Li1,...,Lim to render m encrypted versions of the session key K.
  2. The method of Claim 1, further comprising partitioning the users into groups S1,...,Sw, wherein "w" is an integer, and the groups establish subtrees in a tree.
  3. The method of Claim 2, wherein each subset Si1,...Sim includes all leaves in a subtree rooted at some node vi, at least each node in the subtree being associated with a respective subset key.
  4. The method of Claim 3, wherein content is provided to users in at least one message defining a header, and the header includes at most r*log(N/r) subset keys and encryptions, wherein r is the number of users in the revoked set R and N is the total number of users.
  5. The method of Claim 3, wherein the revoked set R defines a spanning tree, and subtrees having roots attached to nodes of the spanning tree define the subsets.
  6. The method of any of Claims 2 to 5, wherein the tree includes a root and plural nodes, each node having at least one associated label, and wherein each subset includes all leaves in a subtree rooted at some node vi that are not in the subtree rooted at some other node vj that descends from vi.
  7. The method of Claim 6, wherein content is provided to users in at least one message defining a header, and the header includes at most 2r-1 subset keys and encryptions, wherein r is the number of users in the revoked set R.
  8. The method of either one of Claims 6 or 7, wherein the revoked set R defines a spanning tree, and wherein the method includes:
    initializing a cover tree T as the spanning tree;
    iteratively removing nodes from the cover tree T and adding nodes to a cover until the cover tree T has at most one node.
  9. The method of any of Claims 6 to 8, wherein each node has at least one label possibly induced by at least one of its ancestors, and wherein each user is assigned labels from all nodes hanging from a direct path between the user and the root but not from nodes in the direct path.
  10. A computer program comprising computer program code to, when loaded into a computer system and executed, cause said computer system to perform the steps of a method as claimed in any of claims 1 to 9.
  11. Apparatus for broadcast encryption, comprising:
    means for assigning each user in a group of users respective private information Iu;
    means for selecting at least one session encryption key K;
    means for partitioning users not in a revoked set R into disjoint subsets Si1,...Sim having associated subset keys Li1,...Lim; and
    means for encrypting the session key K with the subset keys Li1,...,Lim to render m encrypted versions of the session key K.
EP02710108A 2001-01-26 2002-01-23 Method for broadcast encryption Expired - Lifetime EP1354443B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US770877 1985-08-29
US09/770,877 US7039803B2 (en) 2001-01-26 2001-01-26 Method for broadcast encryption and key revocation of stateless receivers
PCT/GB2002/000305 WO2002060116A2 (en) 2001-01-26 2002-01-23 Method for broadcast encryption

Publications (3)

Publication Number Publication Date
EP1354443A2 EP1354443A2 (en) 2003-10-22
EP1354443B1 true EP1354443B1 (en) 2009-10-07
EP1354443B2 EP1354443B2 (en) 2013-01-02

Family

ID=25089976

Family Applications (1)

Application Number Title Priority Date Filing Date
EP02710108A Expired - Lifetime EP1354443B2 (en) 2001-01-26 2002-01-23 Method for broadcast encryption

Country Status (11)

Country Link
US (4) US7039803B2 (en)
EP (1) EP1354443B2 (en)
JP (1) JP2004520743A (en)
KR (1) KR100543630B1 (en)
CN (2) CN1976277B (en)
AT (1) ATE445269T1 (en)
AU (1) AU2002228163A1 (en)
DE (1) DE60233929D1 (en)
ES (1) ES2334109T5 (en)
TW (1) TWI264208B (en)
WO (1) WO2002060116A2 (en)

Families Citing this family (154)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001099332A1 (en) * 2000-06-21 2001-12-27 Sony Corporation Information recording/reproducing apparatus and method
US8127326B2 (en) 2000-11-14 2012-02-28 Claussen Paul J Proximity detection using wireless connectivity in a communications system
CA2428946C (en) 2000-11-14 2010-06-22 Scientific-Atlanta, Inc. Networked subscriber television distribution
JP4581246B2 (en) * 2000-12-26 2010-11-17 ソニー株式会社 Information processing system, information processing method, and program recording medium
US7421082B2 (en) * 2000-12-28 2008-09-02 Sony Corporation Data delivery method and data delivery system using sets of passkeys generated by dividing an encryption key
JP4281252B2 (en) * 2001-01-16 2009-06-17 ソニー株式会社 Information recording apparatus, information reproducing apparatus, information recording method, information reproducing method, information recording medium, and program storage medium
US7039803B2 (en) * 2001-01-26 2006-05-02 International Business Machines Corporation Method for broadcast encryption and key revocation of stateless receivers
US9520993B2 (en) 2001-01-26 2016-12-13 International Business Machines Corporation Renewable traitor tracing
US7590247B1 (en) 2001-04-18 2009-09-15 Mcafee, Inc. System and method for reusable efficient key distribution
US7043024B1 (en) * 2001-04-18 2006-05-09 Mcafee, Inc. System and method for key distribution in a hierarchical tree
FR2824212A1 (en) * 2001-04-25 2002-10-31 Thomson Licensing Sa METHOD FOR MANAGING A SYMMETRIC KEY IN A COMMUNICATION NETWORK AND DEVICES FOR IMPLEMENTING IT
US7181620B1 (en) * 2001-11-09 2007-02-20 Cisco Technology, Inc. Method and apparatus providing secure initialization of network devices using a cryptographic key distribution approach
JP3917507B2 (en) * 2002-01-28 2007-05-23 株式会社東芝 Content providing system, user system, tracking system, content providing method, encrypted content decrypting method, unauthorized user specifying method, encrypting device, decrypting device, and program
US7340603B2 (en) * 2002-01-30 2008-03-04 Sony Corporation Efficient revocation of receivers
JP3818503B2 (en) * 2002-04-15 2006-09-06 ソニー株式会社 Information processing apparatus and method, and program
US7092527B2 (en) * 2002-04-18 2006-08-15 International Business Machines Corporation Method, system and program product for managing a size of a key management block during content distribution
US7400732B2 (en) * 2002-07-25 2008-07-15 Xerox Corporation Systems and methods for non-interactive session key distribution with revocation
US7516470B2 (en) 2002-08-02 2009-04-07 Cisco Technology, Inc. Locally-updated interactive program guide
US7908625B2 (en) 2002-10-02 2011-03-15 Robertson Neil C Networked multimedia system
US8046806B2 (en) 2002-10-04 2011-10-25 Wall William E Multiroom point of deployment module
US7545935B2 (en) * 2002-10-04 2009-06-09 Scientific-Atlanta, Inc. Networked multimedia overlay system
US7360235B2 (en) 2002-10-04 2008-04-15 Scientific-Atlanta, Inc. Systems and methods for operating a peripheral record/playback device in a networked multimedia system
GB2394803A (en) * 2002-10-31 2004-05-05 Hewlett Packard Co Management of security key distribution using an ancestral hierarchy
US7305711B2 (en) * 2002-12-10 2007-12-04 Intel Corporation Public key media key block
US7450722B2 (en) * 2002-12-13 2008-11-11 General Instrument Corporation Subset difference method for multi-cast rekeying
US20040128259A1 (en) * 2002-12-31 2004-07-01 Blakeley Douglas Burnette Method for ensuring privacy in electronic transactions with session key blocks
US7801820B2 (en) * 2003-01-13 2010-09-21 Sony Corporation Real-time delivery of license for previously stored encrypted content
ES2352052T3 (en) * 2003-01-15 2011-02-15 Panasonic Corporation CONTENT PROTECTION SYSTEM, TERMINAL DEVICE, TERMINAL APPLIANCE METHOD AND REGISTRATION SUPPORT.
US8094640B2 (en) 2003-01-15 2012-01-10 Robertson Neil C Full duplex wideband communications system for a local coaxial network
US7487532B2 (en) 2003-01-15 2009-02-03 Cisco Technology, Inc. Optimization of a full duplex wideband communications system
JP2004220317A (en) * 2003-01-15 2004-08-05 Sony Corp Mutual authentication method, program, recording medium, signal processing system, reproduction device, and information processor
KR101019321B1 (en) * 2003-01-15 2011-03-07 파나소닉 주식회사 Content protection system, key data generation apparatus, and terminal apparatus
US8261063B2 (en) * 2003-02-03 2012-09-04 Hewlett-Packard Development Company, L.P. Method and apparatus for managing a hierarchy of nodes
JP3788438B2 (en) * 2003-03-24 2006-06-21 ソニー株式会社 Information recording medium, information processing apparatus, information processing method, and computer program
KR100974449B1 (en) * 2003-04-24 2010-08-10 엘지전자 주식회사 Method for managing a copy protection information of optical disc
KR20040092649A (en) * 2003-04-24 2004-11-04 엘지전자 주식회사 Method for managing a copy protection information of optical disc
KR100974448B1 (en) * 2003-04-24 2010-08-10 엘지전자 주식회사 Method for managing a copy protection information of optical disc
KR100972831B1 (en) * 2003-04-24 2010-07-28 엘지전자 주식회사 Protectiog method of encrypted data and reprodecing apparatus therof
JP4625011B2 (en) * 2003-05-21 2011-02-02 株式会社エヌ・ティ・ティ・ドコモ Broadcast encryption using RSA
JP4759513B2 (en) * 2003-06-02 2011-08-31 リキッド・マシンズ・インコーポレーテッド Data object management in dynamic, distributed and collaborative environments
WO2005013550A1 (en) * 2003-08-05 2005-02-10 Matsushita Electric Industrial Co., Ltd. Copyright protection system
US7610485B1 (en) * 2003-08-06 2009-10-27 Cisco Technology, Inc. System for providing secure multi-cast broadcasts over a network
KR20060133958A (en) * 2003-09-10 2006-12-27 코닌클리케 필립스 일렉트로닉스 엔.브이. Content protection method and system
US7813512B2 (en) * 2003-10-16 2010-10-12 Panasonic Corporation Encrypted communication system and communication device
KR20050078773A (en) * 2004-02-02 2005-08-08 삼성전자주식회사 Method of assigning user key for broadcast encryption
US7499550B2 (en) * 2004-02-09 2009-03-03 International Business Machines Corporation System and method for protecting a title key in a secure distribution system for recordable media content
JP4635459B2 (en) * 2004-03-15 2011-02-23 ソニー株式会社 Information processing method, decoding processing method, information processing apparatus, and computer program
JP2005286959A (en) * 2004-03-31 2005-10-13 Sony Corp Information processing method, decoding processing method, information processor and computer program
US8300824B1 (en) * 2004-04-08 2012-10-30 Cisco Technology, Inc. System and method for encrypting data using a cipher text in a communications environment
WO2005109735A1 (en) * 2004-05-12 2005-11-17 Telefonaktiebolaget Lm Ericsson (Publ) Key management messages for secure broadcast
US8249258B2 (en) * 2004-06-07 2012-08-21 National Institute Of Information And Communications Technology Communication method and communication system using decentralized key management scheme
JP4162237B2 (en) * 2004-06-24 2008-10-08 インターナショナル・ビジネス・マシーンズ・コーポレーション ENCRYPTED COMMUNICATION SYSTEM, ENCRYPTION DEVICE, DECRYPTION DEVICE, ENCRYPTION METHOD, DECRYPTION METHOD, ENCRYPTION PROGRAM, AND DECRYPTION PROGRAM
KR100968181B1 (en) * 2004-06-24 2010-07-07 인터내셔널 비지네스 머신즈 코포레이션 Access control over multicast
US7266548B2 (en) * 2004-06-30 2007-09-04 Microsoft Corporation Automated taxonomy generation
KR100579515B1 (en) * 2004-10-08 2006-05-15 삼성전자주식회사 Apparatus and method of generating a key for broadcast encryption
US7516326B2 (en) * 2004-10-15 2009-04-07 Hewlett-Packard Development Company, L.P. Authentication system and method
US7454021B2 (en) * 2004-10-29 2008-11-18 Hewlett-Packard Development Company, L.P. Off-loading data re-encryption in encrypted data management systems
JP4690420B2 (en) * 2004-11-16 2011-06-01 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Improved key distribution in a system for selective access to information
TWI277870B (en) * 2004-11-22 2007-04-01 Toshiba Corp Copyright management method, information recording/reproducing method and device, and information recording medium and method of manufacturing the medium
US8090105B2 (en) * 2004-11-24 2012-01-03 International Business Machines Corporation Broadcast encryption with dual tree sizes
US20060126831A1 (en) * 2004-12-14 2006-06-15 Cerruti Julian A Systems, methods, and media for adding an additional level of indirection to title key encryption
KR100811046B1 (en) * 2005-01-14 2008-03-06 엘지전자 주식회사 Method for managing digital rights of broadcast/multicast service
JP4599194B2 (en) * 2005-03-08 2010-12-15 株式会社東芝 Decoding device, decoding method, and program
KR100717005B1 (en) * 2005-04-06 2007-05-10 삼성전자주식회사 Method and apparatus for determining revocation key, and method and apparatus for decrypting thereby
KR100970391B1 (en) 2005-04-19 2010-07-15 삼성전자주식회사 Method for Making Tag in Broadcast Encryption System
WO2006112635A1 (en) 2005-04-19 2006-10-26 Samsung Electronics Co., Ltd Tag generation method in broadcast encryption system
KR100765750B1 (en) * 2005-05-09 2007-10-15 삼성전자주식회사 Method and apparatus for encrypting/decrypting efficiently according to broadcast encryption scheme
US20060265338A1 (en) * 2005-05-17 2006-11-23 Rutkowski Matt F System and method for usage based key management rebinding using logical partitions
KR100708133B1 (en) * 2005-05-25 2007-04-17 삼성전자주식회사 Method and apparatus for encrypting/decrypting efficiently according to broadcast encryption scheme
KR100708134B1 (en) * 2005-05-25 2007-04-17 삼성전자주식회사 Method and apparatus for encrypting/decrypting efficiently according to broadcast encryption scheme
KR101152311B1 (en) * 2005-06-09 2012-06-11 삼성전자주식회사 Key managing method in tree topology network for broadcast encryption
WO2007001287A1 (en) * 2005-06-23 2007-01-04 Thomson Licensing Multi-media access device registration system and method
US20070011735A1 (en) * 2005-07-06 2007-01-11 Cable Television Laboratories, Inc. Open standard conditional access system
US7876998B2 (en) 2005-10-05 2011-01-25 Wall William E DVD playback over multi-room by copying to HDD
US7523304B2 (en) * 2005-11-22 2009-04-21 Ntt Docomo, Inc. Generation of set coverings with free riders, and generation of ordered sets of meeting points, in systems which include, but are not limited to, systems for broadcast encryption and systems for certificate revocation
KR100803596B1 (en) 2005-11-25 2008-02-19 삼성전자주식회사 Method and apparatus for decryption using external device or service on revocation mechanism, method and apparatus for supporting decryption therefor
US8306026B2 (en) * 2005-12-15 2012-11-06 Toshiba America Research, Inc. Last hop topology sensitive multicasting key management
US8176568B2 (en) 2005-12-30 2012-05-08 International Business Machines Corporation Tracing traitor coalitions and preventing piracy of digital content in a broadcast encryption system
US7861003B2 (en) 2006-01-31 2010-12-28 Genband Us Llc Adaptive feedback for session over internet protocol
US7865612B2 (en) * 2006-01-31 2011-01-04 Genband Us Llc Method and apparatus for partitioning resources within a session-over-internet-protocol (SoIP) session controller
US7860990B2 (en) 2006-01-31 2010-12-28 Genband Us Llc Session data records and related alarming within a session over internet protocol (SOIP) network
KR100729139B1 (en) * 2006-02-13 2007-06-18 고려대학교 산학협력단 Modular method for broadcast encryption
FR2897736B1 (en) * 2006-02-22 2008-04-11 Viaccess Sa METHOD FOR ESTABLISHING A CRYPTOGRAPHIC KEY, NET HEAD AND RECEIVER FOR THIS METHOD, AND METHOD FOR TRANSMITTING SIGNALS
FR2899748B1 (en) * 2006-04-07 2008-11-28 Thales Sa EFFICIENT HYBRID DIFFUSION SCHEME, ADAPTED TO LOW BANDWIDTH
CN101060398A (en) * 2006-04-20 2007-10-24 松下电器产业株式会社 A new safety group safety certificate generating method, communication method, and network system
US8676713B2 (en) * 2006-05-30 2014-03-18 Dell Products L.P. Dynamic constraints for content rights
US8121289B2 (en) * 2006-05-31 2012-02-21 France Telecom Cryptographic method with integrated encryption and revocation, system, device and programs for implementing this method
JP2007336059A (en) * 2006-06-13 2007-12-27 Toshiba Corp Information access management method and apparatus
KR20070119335A (en) * 2006-06-15 2007-12-20 삼성전자주식회사 Method of allocating a key of user for broadcast encryption
JP5005277B2 (en) * 2006-07-13 2012-08-22 日東電工株式会社 Patches and patch preparations
US8627482B2 (en) * 2006-07-24 2014-01-07 Thomson Licensing Method, apparatus and system for secure distribution of content
JP4179563B2 (en) * 2006-09-21 2008-11-12 インターナショナル・ビジネス・マシーンズ・コーポレーション Technology for managing cryptographic keys for cryptographic communications
KR101377455B1 (en) * 2006-10-09 2014-04-02 삼성전자주식회사 Method and apparatus of generating encryption key for broadcast encryption
JP4984827B2 (en) * 2006-10-30 2012-07-25 ソニー株式会社 KEY GENERATION DEVICE, ENCRYPTION DEVICE, RECEPTION DEVICE, KEY GENERATION METHOD, ENCRYPTION METHOD, KEY PROCESSING METHOD, AND PROGRAM
JP2008113203A (en) * 2006-10-30 2008-05-15 Sony Corp Key generating device, encrypting device, receiver, key generation method, encryption method, key processing method, and program
US7986787B2 (en) * 2006-12-08 2011-07-26 International Business Machines Corporation System, method, and service for tracing traitors from content protection circumvention devices
US7978848B2 (en) * 2007-01-09 2011-07-12 Microsoft Corporation Content encryption schema for integrating digital rights management with encrypted multicast
KR20090000624A (en) * 2007-03-09 2009-01-08 삼성전자주식회사 Method for mutual authenticating with host device and system thereof
US7876895B2 (en) * 2007-05-09 2011-01-25 International Business Machines Corporation System, method, and service for performing unified broadcast encryption and traitor tracing for digital content
US7904717B2 (en) * 2007-06-19 2011-03-08 Oracle America, Inc. Method, apparatus, and manufacture for decryption of network traffic in a secure session
EP2176983A4 (en) * 2007-07-19 2013-01-23 Telcordia Tech Inc Method for a public-key infrastructure providing communication integrity and anonymity while detecting malicious communication
JP5150175B2 (en) * 2007-09-05 2013-02-20 Kddi株式会社 Client terminal covering method and program in SD method
US7912062B2 (en) 2007-09-28 2011-03-22 Genband Us Llc Methods and apparatus for managing addresses related to virtual partitions of a session exchange device
US8824685B2 (en) * 2007-10-15 2014-09-02 Sony Corporation Method for detection of a hacked decoder
JP2009105853A (en) * 2007-10-25 2009-05-14 Kddi Corp Sd method corresponding to optional tree structure, and program
EP2068490A1 (en) 2007-12-05 2009-06-10 Nagravision S.A. Method to generate a private key in a Boneh-Franklin scheme
EP2073431A1 (en) 2007-12-21 2009-06-24 Nagravision S.A. Method to trace traceable parts of original private keys in a public-key cryptosystem
US7936882B2 (en) * 2008-01-17 2011-05-03 Nagravision S.A. Method to trace traceable parts of original private keys in a public-key cryptosystem
US8306220B2 (en) * 2008-01-17 2012-11-06 Nagravision S.A. Method to generate a private key in a boneh-franklin scheme
KR20100120662A (en) * 2008-01-18 2010-11-16 코닌클리즈케 필립스 일렉트로닉스 엔.브이. Wireless communication system and method for automatic node and key revocation
US8499149B2 (en) * 2008-02-20 2013-07-30 Hewlett-Packard Development Company, L.P. Revocation for direct anonymous attestation
US9729316B2 (en) * 2008-02-27 2017-08-08 International Business Machines Corporation Unified broadcast encryption system
US8391493B2 (en) * 2008-02-29 2013-03-05 The Boeing Company Probabilistic mitigation of control channel jamming via random key distribution in wireless communications networks
US8755322B2 (en) 2008-04-24 2014-06-17 Nokia Corporation Method, apparatus, and computer program product for providing internet protocol multicast transport
KR20090115565A (en) * 2008-05-02 2009-11-05 삼성전자주식회사 Method for transmitting content key and apparatus therefor
US8122501B2 (en) * 2008-06-20 2012-02-21 International Business Machines Corporation Traitor detection for multilevel assignment
US8108928B2 (en) * 2008-06-20 2012-01-31 International Business Machines Corporation Adaptive traitor tracing
US8422684B2 (en) * 2008-08-15 2013-04-16 International Business Machines Corporation Security classes in a media key block
US20100054479A1 (en) * 2008-09-02 2010-03-04 Industrial Technology Research Institute Drm key management system using multi-dimensional grouping techniques
US8189789B2 (en) * 2008-11-03 2012-05-29 Telcordia Technologies, Inc. Intrusion-tolerant group management for mobile ad-hoc networks
US8347081B2 (en) 2008-12-10 2013-01-01 Silicon Image, Inc. Method, apparatus and system for employing a content protection system
WO2010074621A1 (en) * 2008-12-23 2010-07-01 Telefonaktiebolaget Lm Ericsson (Publ) A key management method
US8571209B2 (en) 2009-01-19 2013-10-29 International Business Machines Recording keys in a broadcast-encryption-based system
KR101603133B1 (en) * 2009-09-21 2016-03-14 삼성전자주식회사 Apparatus and method for reducing the channel play time in portable terminal
US8254580B2 (en) * 2009-09-30 2012-08-28 Telefonaktiebolaget L M Ericsson (Publ) Key distribution in a hierarchy of nodes
JP5552541B2 (en) * 2009-12-04 2014-07-16 クリプトグラフィ リサーチ, インコーポレイテッド Verifiable leak-proof encryption and decryption
EP2355503A1 (en) * 2010-02-04 2011-08-10 Nagravision S.A. Method to manage members of at least one group of decoders having access to audio/video data
WO2011107451A1 (en) * 2010-03-03 2011-09-09 Nagravision S.A. Method to manage revocations in a group of terminals
CN102195775B (en) * 2010-03-15 2016-03-02 中兴通讯股份有限公司 A kind of encryption and decryption method of cloud computing key and device
US8396896B2 (en) 2010-11-10 2013-03-12 International Business Machines Corporation Assigning resources to a binary tree structure
JP5676331B2 (en) * 2011-03-24 2015-02-25 株式会社東芝 Root node and program
CN104025502B (en) * 2011-12-22 2017-07-11 英特尔公司 Instruction processing unit, method and system for processing BLAKE SHAs
ES2863678T3 (en) * 2012-05-29 2021-10-11 Fimer S P A A method and system for transferring firmware or software to a plurality of devices
US8782440B2 (en) 2012-08-15 2014-07-15 International Business Machines Corporation Extending the number of applications for accessing protected content in a media using media key blocks
US20150237400A1 (en) * 2013-01-05 2015-08-20 Benedict Ow Secured file distribution system and method
US9425967B2 (en) * 2013-03-20 2016-08-23 Industrial Technology Research Institute Method for certificate generation and revocation with privacy preservation
GB2528874A (en) * 2014-08-01 2016-02-10 Bae Systems Plc Improvements in and relating to secret communications
US9639687B2 (en) 2014-11-18 2017-05-02 Cloudfare, Inc. Multiply-encrypting data requiring multiple keys for decryption
JP5845333B2 (en) * 2014-12-24 2016-01-20 株式会社東芝 Management apparatus, system, and method
US10333696B2 (en) 2015-01-12 2019-06-25 X-Prime, Inc. Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency
JP6271808B2 (en) * 2015-03-16 2018-01-31 株式会社東芝 Management apparatus, program, system and method
US10333909B2 (en) 2016-02-09 2019-06-25 Conduent Business Services, Llc Methods and systems for broadcasting targeted advertisements to mobile device
CN106878002B (en) 2016-07-05 2020-04-24 阿里巴巴集团控股有限公司 Permission revocation method and device
KR102651659B1 (en) * 2017-07-18 2024-03-26 레긱 이덴트시스템스 아게 Method and device for verifying authorization of electronic device
EP3462571A1 (en) 2017-09-28 2019-04-03 Koninklijke Philips N.V. Authentication in a wireless power transfer system
JP2018038077A (en) * 2017-11-02 2018-03-08 株式会社東芝 Management device, program, system, and method
CN109067520B (en) * 2018-07-26 2020-06-05 北京航空航天大学 Revocable broadcast encryption method and system based on hierarchical identity
US10841078B2 (en) * 2018-07-26 2020-11-17 International Business Machines Corporation Encryption key block generation with barrier descriptors
CN110858835B (en) * 2018-08-24 2022-02-18 中国电信股份有限公司 Communication method, system and related device and computer readable storage medium
US11876903B2 (en) 2020-12-09 2024-01-16 International Business Machines Corporation Decentralized broadcast encryption and key generation facility
US11997218B2 (en) 2021-03-02 2024-05-28 International Business Machines Corporation Decentralized, dynamic media key block for broadcast encryption
US11804949B2 (en) * 2021-03-19 2023-10-31 Raytheon Bbn Technologies Corp. Subscriber revocation in a publish-subscribe network using attribute-based encryption
US11558185B2 (en) 2021-03-19 2023-01-17 Raytheon Bbn Technologies Corp. Stream-based key management
US20230421357A1 (en) * 2022-06-09 2023-12-28 NEC Laboratories Europe GmbH Method and system for anonymous symmetric authenticated key establishment

Family Cites Families (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5241597A (en) * 1991-02-01 1993-08-31 Motorola, Inc. Method for recovering from encryption key variable loss
IL106796A (en) * 1993-08-25 1997-11-20 Algorithmic Res Ltd Broadcast encryption
US6560340B1 (en) * 1995-04-03 2003-05-06 Scientific-Atlanta, Inc. Method and apparatus for geographically limiting service in a conditional access system
US5675649A (en) * 1995-11-30 1997-10-07 Electronic Data Systems Corporation Process for cryptographic key generation and safekeeping
US5812670A (en) * 1995-12-28 1998-09-22 Micali; Silvio Traceable anonymous transactions
US5748736A (en) * 1996-06-14 1998-05-05 Mittra; Suvo System and method for secure group communications via multicast or broadcast
FR2751817B1 (en) 1996-07-29 1998-09-11 Thomson Multimedia Sa CONDITIONAL ACCESS SYSTEM USING MULTIPLE ENCRYPTION KEY MESSAGES
DE19649292A1 (en) * 1996-11-28 1998-06-04 Deutsche Telekom Ag Access protection method for pay television
US6285991B1 (en) * 1996-12-13 2001-09-04 Visa International Service Association Secure interactive electronic account statement delivery system
US5920861A (en) * 1997-02-25 1999-07-06 Intertrust Technologies Corp. Techniques for defining using and manipulating rights management data structures
US6690795B1 (en) * 1997-03-04 2004-02-10 Lucent Technologies Inc. Multiple keys for decrypting data in restricted-access television system
JP3864401B2 (en) * 1997-04-23 2006-12-27 ソニー株式会社 Authentication system, electronic device, authentication method, and recording medium
US6775382B1 (en) * 1997-06-30 2004-08-10 Sun Microsystems, Inc. Method and apparatus for recovering encryption session keys
US6397329B1 (en) * 1997-11-21 2002-05-28 Telcordia Technologies, Inc. Method for efficiently revoking digital identities
US6098056A (en) * 1997-11-24 2000-08-01 International Business Machines Corporation System and method for controlling access rights to and security of digital content in a distributed information system, e.g., Internet
US6247127B1 (en) * 1997-12-19 2001-06-12 Entrust Technologies Ltd. Method and apparatus for providing off-line secure communications
JPH11187013A (en) 1997-12-24 1999-07-09 Ibm Japan Ltd Cryptographic key distribution system
US6084969A (en) * 1997-12-31 2000-07-04 V-One Corporation Key encryption system and method, pager unit, and pager proxy for a two-way alphanumeric pager network
US6049878A (en) * 1998-01-20 2000-04-11 Sun Microsystems, Inc. Efficient, secure multicasting with global knowledge
US6118873A (en) * 1998-04-24 2000-09-12 International Business Machines Corporation System for encrypting broadcast programs in the presence of compromised receiver devices
JP4273535B2 (en) * 1998-05-12 2009-06-03 ソニー株式会社 Data transmission control method, data transmission system, data receiving apparatus and data transmitting apparatus
IL126472A0 (en) * 1998-10-07 1999-08-17 Nds Ltd Secure communications system
US6782475B1 (en) * 1999-01-15 2004-08-24 Terence E. Sumner Method and apparatus for conveying a private message to selected members
JP4214651B2 (en) * 1999-03-31 2009-01-28 ソニー株式会社 Data communication system and data management method
US6636968B1 (en) * 1999-03-25 2003-10-21 Koninklijke Philips Electronics N.V. Multi-node encryption and key delivery
US6263435B1 (en) 1999-07-06 2001-07-17 Matsushita Electric Industrial Co., Ltd. Dual encryption protocol for scalable secure group communication
US6684331B1 (en) * 1999-12-22 2004-01-27 Cisco Technology, Inc. Method and apparatus for distributing and updating group controllers over a wide area network using a tree structure
JP2001352321A (en) 2000-04-06 2001-12-21 Sony Corp Information processing system, information processing method, and information recording medium, and program providing medium
US7200230B2 (en) * 2000-04-06 2007-04-03 Macrovision Corporation System and method for controlling and enforcing access rights to encrypted media
JP4023083B2 (en) 2000-04-06 2007-12-19 ソニー株式会社 Information processing system, information processing method, information recording medium, and program providing medium
US6961858B2 (en) * 2000-06-16 2005-11-01 Entriq, Inc. Method and system to secure content for distribution via a network
US6839436B1 (en) * 2000-10-16 2005-01-04 Lucent Technologies Inc. Method for providing long-lived broadcast encrypton
EP1334583A2 (en) * 2000-10-26 2003-08-13 General Instrument Corporation Enforcement of content rights and conditions for multimedia content
JP2002281013A (en) 2000-12-18 2002-09-27 Matsushita Electric Ind Co Ltd Key management device for protecting copyright, recording medium, reproduction device, recording device, key management method, reproduction method, key management program, and computer readable recording medium with key management program recorded
CN100499799C (en) * 2000-12-22 2009-06-10 爱迪德艾恩德霍芬公司 Transmission system of supplying conditional access for transmitted data
US7039803B2 (en) * 2001-01-26 2006-05-02 International Business Machines Corporation Method for broadcast encryption and key revocation of stateless receivers
JP2003050745A (en) * 2001-08-07 2003-02-21 Sony Corp Information processor, information processing method and computer program
US20030200548A1 (en) * 2001-12-27 2003-10-23 Paul Baran Method and apparatus for viewer control of digital TV program start time

Also Published As

Publication number Publication date
CN1976277B (en) 2010-10-13
ES2334109T3 (en) 2010-03-05
WO2002060116A3 (en) 2002-09-26
US7523307B2 (en) 2009-04-21
EP1354443B2 (en) 2013-01-02
KR20030085125A (en) 2003-11-03
ES2334109T5 (en) 2013-05-03
US7925025B2 (en) 2011-04-12
AU2002228163A1 (en) 2002-08-06
EP1354443A2 (en) 2003-10-22
TWI264208B (en) 2006-10-11
US20050195980A1 (en) 2005-09-08
KR100543630B1 (en) 2006-01-20
CN1976277A (en) 2007-06-06
US7039803B2 (en) 2006-05-02
US20020104001A1 (en) 2002-08-01
JP2004520743A (en) 2004-07-08
ATE445269T1 (en) 2009-10-15
DE60233929D1 (en) 2009-11-19
US20020147906A1 (en) 2002-10-10
US7698551B2 (en) 2010-04-13
US20080192939A1 (en) 2008-08-14
WO2002060116A2 (en) 2002-08-01
CN1489847A (en) 2004-04-14
CN1303777C (en) 2007-03-07

Similar Documents

Publication Publication Date Title
EP1354443B1 (en) Method for broadcast encryption
US7010125B2 (en) Method for tracing traitor receivers in a broadcast encryption system
US5592552A (en) Broadcast encryption
Naor et al. Revocation and tracing schemes for stateless receivers
US7340054B2 (en) Information processing method, decrypting method, information processing apparatus, and computer program
US20030142826A1 (en) Efficient revocation of receivers
US7263611B2 (en) Key management for content protection
EP1051036A2 (en) Cryptographic method and apparatus for restricting access to transmitted programming content using hash functions and program identifiers
US7949135B2 (en) Key distribution in systems for selective access to information
KR101022465B1 (en) Method of copying and decrypting encrypted digital data and apparatus therefor
KR100803596B1 (en) Method and apparatus for decryption using external device or service on revocation mechanism, method and apparatus for supporting decryption therefor
WO2004028073A1 (en) Key management system
Naor et al. Protecting cryptographic keys: The trace-and-revoke approach
JP2004229128A (en) Encryption data distribution system, information processor and information processing method, and computer program
WO2009157050A1 (en) Information processing device and program
Obied Broadcas t Encryption
Chen A Survey on Traitor Tracing Schemes
JP2004320183A (en) Apparatus and method for information processing, as well as computer program

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20030708

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

RIN1 Information on inventor provided before grant (corrected)

Inventor name: NAOR, SIMEON

Inventor name: NAOR, DALIT

Inventor name: LOTSPIECH, JEFFREY, BRUCE

RIN1 Information on inventor provided before grant (corrected)

Inventor name: NAOR, SIMEON

Inventor name: NAOR, DALIT

Inventor name: LOTSPIECH, JEFFREY, BRUCE C/O IBM UNITED KINGDOM

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

RIN1 Information on inventor provided before grant (corrected)

Inventor name: NAOR, SIMEON

Inventor name: NAOR, DALIT

Inventor name: LOTSPIECH, JEFFREY, BRUCE

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REF Corresponds to:

Ref document number: 60233929

Country of ref document: DE

Date of ref document: 20091119

Kind code of ref document: P

REG Reference to a national code

Ref country code: GB

Ref legal event code: 746

Effective date: 20091116

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: IBM RESEARCH GMBH ZURICH RESEARCH LABORATORY INTEL

REG Reference to a national code

Ref country code: SE

Ref legal event code: TRGR

REG Reference to a national code

Ref country code: GB

Ref legal event code: 746

Effective date: 20091215

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2334109

Country of ref document: ES

Kind code of ref document: T3

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20100208

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20091007

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20091007

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20091007

PLBI Opposition filed

Free format text: ORIGINAL CODE: 0009260

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20091007

PLAX Notice of opposition and request to file observation + time limit sent

Free format text: ORIGINAL CODE: EPIDOSNOBS2

26 Opposition filed

Opponent name: BRUNNER, JOHN MICHAEL OWEN

Effective date: 20100706

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20100131

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20100108

PLAF Information modified related to communication of a notice of opposition and request to file observations + time limit

Free format text: ORIGINAL CODE: EPIDOSCOBS2

PLBB Reply of patent proprietor to notice(s) of opposition received

Free format text: ORIGINAL CODE: EPIDOSNOBS3

APBM Appeal reference recorded

Free format text: ORIGINAL CODE: EPIDOSNREFNO

APBP Date of receipt of notice of appeal recorded

Free format text: ORIGINAL CODE: EPIDOSNNOA2O

APAH Appeal reference modified

Free format text: ORIGINAL CODE: EPIDOSCREFNO

PLAB Opposition data, opponent's data or that of the opponent's representative modified

Free format text: ORIGINAL CODE: 0009299OPPO

R26 Opposition filed (corrected)

Opponent name: BRUNNER, JOHN MICHAEL OWEN / MORRIS, CLAIRE LOUISE

Effective date: 20100706

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20091007

APBU Appeal procedure closed

Free format text: ORIGINAL CODE: EPIDOSNNOA9O

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20100123

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20091007

PUAH Patent maintained in amended form

Free format text: ORIGINAL CODE: 0009272

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: PATENT MAINTAINED AS AMENDED

27A Patent maintained in amended form

Effective date: 20130102

AK Designated contracting states

Kind code of ref document: B2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

REG Reference to a national code

Ref country code: CH

Ref legal event code: AELC

REG Reference to a national code

Ref country code: DE

Ref legal event code: R102

Ref document number: 60233929

Country of ref document: DE

Effective date: 20130102

REG Reference to a national code

Ref country code: SE

Ref legal event code: RPEO

REG Reference to a national code

Ref country code: ES

Ref legal event code: DC2A

Ref document number: 2334109

Country of ref document: ES

Kind code of ref document: T5

Effective date: 20130503

REG Reference to a national code

Ref country code: NL

Ref legal event code: T3

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 15

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 16

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 17

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NL

Payment date: 20210112

Year of fee payment: 20

Ref country code: IE

Payment date: 20210106

Year of fee payment: 20

Ref country code: CH

Payment date: 20210114

Year of fee payment: 20

Ref country code: FR

Payment date: 20210108

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: SE

Payment date: 20210114

Year of fee payment: 20

Ref country code: DE

Payment date: 20201223

Year of fee payment: 20

Ref country code: GB

Payment date: 20210127

Year of fee payment: 20

Ref country code: ES

Payment date: 20210212

Year of fee payment: 20

REG Reference to a national code

Ref country code: DE

Ref legal event code: R082

Ref document number: 60233929

Country of ref document: DE

Representative=s name: KUISMA, SIRPA, FI

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IT

Payment date: 20210111

Year of fee payment: 20

REG Reference to a national code

Ref country code: DE

Ref legal event code: R071

Ref document number: 60233929

Country of ref document: DE

REG Reference to a national code

Ref country code: NL

Ref legal event code: MK

Effective date: 20220122

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: GB

Ref legal event code: PE20

Expiry date: 20220122

REG Reference to a national code

Ref country code: IE

Ref legal event code: MK9A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20220123

Ref country code: GB

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20220122

REG Reference to a national code

Ref country code: ES

Ref legal event code: FD2A

Effective date: 20220429

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20220124